GitHub user user1500177 created a discussion: Questions regarding OAuth token management and session handling in Apache Superset
## Description: Hi, I have enabled OAuth in Apache Superset by configuring it with Zitadel, and I have a few questions regarding how tokens and sessions are managed: 1) Is the access token saved by Superset in the session? When I searched, I only found an encrypted Superset session cookie(in the COOKIE par of the dev tools). Why is that? Is the Zitadel access token stored anywhere by default? 2) Is the user's access token supposed to be saved on the client side if I have enabled the PKCE OAuth method? Our Use Case: We need to use the Zitadel access token right after a user logs in so we can fetch additional data related to that user (and even if in between the auth token is accesble i need to make sure it is accesable after that too , as when redirecting to the dashboard page i need to trigger that API endpoint to fetch some values which is the and that endpoint requires the bearer token from zitadel SO how can i handle this situation). We need this access token to call a custom API endpoint that I wrote. 3) Additionally, during login, a Zitadel access token is generated. However, that token is only valid for a custom period set in Zitadel (e.g., 12 or 20 hours). To my understanding, the token should be refreshed after that time. Does this token refresh happen automatically from Superset's side, or not? I noticed that after the initial login, Superset saves an encrypted session cookie with a value under the domain (visible in session/cookie storage) as shown in the image below: <img width="498" height="272" alt="image" src="https://github.com/user-attachments/assets/23f6e784-e029-4a52-ab14-d27a389ad604"; /> IS this the standard way superset does it and i should not expect you to set the access_token etc , for me ; And like said if the token is expired after 12hrs also the person would be logged in if its via the superset session cookie right ? Summary of my questions: * Is this cookie-only approach the standard way Superset handles OAuth sessions? * Should I not expect Superset to expose or save the external access_token for me? * If the Zitadel access token expires after 12 hours, the user will still remain logged into Superset because of the valid Superset session cookie, right? * Is the standard behavior of Superset's OAuth implementation simply to save its own session cookie, rather than persisting the external identity provider's access token on the client side? IS THERE ANY WAY TO REFRESH THE TOKENS as at a later stage we woul need to call the endpoint again in between so the token is required and we need to acceess it some how - What should i be doing ? (IS SUPSERSET allowing a refresh token at ur side or not - with some configuration and also the saving of the zitadel token on the browser session cookie can that be done ?)- if yes could you give me valid sripts as starting pointing - IF NOT could you tell me why that is not a best practice and why superset does not suppose it GitHub link: https://github.com/apache/superset/discussions/40283 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
