You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using okta integration in superset and it works perfectly in superset v 2.1.0 (we use helm chart 0.10.6). We use CustomSsoSecurityManager() for our okta integration and we have faced no issues so far. However recently we upgraded to superset v 3.0.0 via helmchart 0.10.10 and we found that our okta integration breaks. When we try to login to superset on clicking login option - we continue to get redirected back to login screen with below error mentioned in superset pod log (on kubernetes)
Expected result - is that user should get logged to superset and should be able to access sqllab feature
Error in logs
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response."
Okta configuration used in superset_config_overrides.py file are below
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider="okta", response=None):
if provider == "okta":
res = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
me = res.json()
-- if user is attached to a group that starts with superset
-- use that group else use SUPERSET_PUBLIC
superset_groups = []
if "groups" in me:
for g in me["groups"]:
if "SUPERSET" in g:
superset_groups.append(g)
if not superset_groups:
superset_groups.append("SUPERSET_PUBLIC")
return {
"username": me["email"],
"name": me["name"],
"email": me["email"],
"first_name": me["given_name"],
"last_name": me["family_name"],
"role_keys": superset_groups,
}
OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_KEY = get_env_variable("OKTA_KEY")
OKTA_SECRET = get_env_variable("OKTA_SECRET")
AUTH_TYPE = AUTH_OAUTH
-- registration configs
AUTH_USER_REGISTRATION = True # allow users who are not already in the FAB DB
the list of providers which the user can choose from
OAUTH_PROVIDERS = [
{
"name": "okta",
"icon": "fa-circle-o",
"token_key": "access_token",
"remote_app": {
"client_id": OKTA_KEY,
"client_secret": OKTA_SECRET,
"api_base_url": OKTA_DOMAIN + "/oauth2/v1/",
"client_kwargs": {"scope": "openid profile email groups"},
"access_token_url": OKTA_DOMAIN + "/oauth2/v1/token",
"authorize_url": OKTA_DOMAIN + "/oauth2/v1/authorize",
"server_metadata_url": OKTA_DOMAIN
+ "/.well-known/openid-configuration",
},
},
]
-- if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
-- force users to re-auth after 3hours of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = int(get_env_variable("USER_IDLE_SESSION_TIME", 10800))
-- okta user groups to SuperSet role mapping
AUTH_ROLES_MAPPING = {
"SUPERSET_PUBLIC": ["Public", "Alpha", "Gamma", "sql_lab"],
"SUPERSET_ADMINS": ["Admin"],
}
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
The text was updated successfully, but these errors were encountered:
Possible duplicate of #24579. Between 2.1.0 and 3.0.0 several security settings were tightened by default. If you weren't specifying these, perhaps that's the issue. See the workarounds discussed in that thread.
# Create a custom view to authenticate the user
AuthRemoteUserView=BaseSecurityManager.authremoteuserview
class CustomAuthUserView(AuthRemoteUserView):
@expose('/login/')
def login(self):
token = request.args.get('token')
next = request.args.get('next')
sm = self.appbuilder.sm
session = sm.get_session
user = session.query(sm.user_model).filter_by(username='admin').first()
if token == 'some token':
login_user(user, remember=False, force=True)
if (next is not None):
return redirect(next)
else:
return redirect(self.appbuilder.get_url_for_index)
else:
flash('Unable to auto login', 'warning')
return super(CustomAuthUserView,self).login()
I have added this code in my-values.yml file to create custom login with token but this login is not working with version 3.0.1 but it was perfectly working fine with version 2.0.
Are either of you (@arpitgargfk or @codebat-hasan) still facing issues here - it's been about 5 months, so I'm wondering if newer helm charts solved the problem or if you've moved on in some other way.
We are using okta integration in superset and it works perfectly in superset v 2.1.0 (we use helm chart 0.10.6). We use CustomSsoSecurityManager() for our okta integration and we have faced no issues so far. However recently we upgraded to superset v 3.0.0 via helmchart 0.10.10 and we found that our okta integration breaks. When we try to login to superset on clicking login option - we continue to get redirected back to login screen with below error mentioned in superset pod log (on kubernetes)
Expected result - is that user should get logged to superset and should be able to access sqllab feature
Error in logs
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response."
Okta configuration used in superset_config_overrides.py file are below
The text was updated successfully, but these errors were encountered: