Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade to superset 3.0.0 (helmchart 0.10.10) breaks okta integration (working in superset 2.1.0 helmchart 0.10.6) #25650

Open
arpitgargfk opened this issue Oct 15, 2023 · 4 comments
Open

upgrade to superset 3.0.0 (helmchart 0.10.10) breaks okta integration (working in superset 2.1.0 helmchart 0.10.6) #25650

arpitgargfk opened this issue Oct 15, 2023 · 4 comments

Comments

@arpitgargfk
Copy link

arpitgargfk commented Oct 15, 2023
edited
Loading

We are using okta integration in superset and it works perfectly in superset v 2.1.0 (we use helm chart 0.10.6). We use CustomSsoSecurityManager() for our okta integration and we have faced no issues so far. However recently we upgraded to superset v 3.0.0 via helmchart 0.10.10 and we found that our okta integration breaks. When we try to login to superset on clicking login option - we continue to get redirected back to login screen with below error mentioned in superset pod log (on kubernetes)
Expected result - is that user should get logged to superset and should be able to access sqllab feature

Error in logs

ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response."

Okta configuration used in superset_config_overrides.py file are below

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider="okta", response=None):
        if provider == "okta":
            res = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
            me = res.json()
            -- if user is attached to a group that starts with superset
            -- use that group else use SUPERSET_PUBLIC
            superset_groups = []
            if "groups" in me:
                for g in me["groups"]:
                    if "SUPERSET" in g:
                        superset_groups.append(g)

            if not superset_groups:
                superset_groups.append("SUPERSET_PUBLIC")
            return {
                "username": me["email"],
                "name": me["name"],
                "email": me["email"],
                "first_name": me["given_name"],
                "last_name": me["family_name"],
                "role_keys": superset_groups,
            }

OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_KEY = get_env_variable("OKTA_KEY")
OKTA_SECRET = get_env_variable("OKTA_SECRET")
AUTH_TYPE = AUTH_OAUTH
-- registration configs
AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB

the list of providers which the user can choose from
OAUTH_PROVIDERS = [
    {
        "name": "okta",
        "icon": "fa-circle-o",
        "token_key": "access_token",
        "remote_app": {
            "client_id": OKTA_KEY,
            "client_secret": OKTA_SECRET,
            "api_base_url": OKTA_DOMAIN + "/oauth2/v1/",
            "client_kwargs": {"scope": "openid profile email groups"},
            "access_token_url": OKTA_DOMAIN + "/oauth2/v1/token",
            "authorize_url": OKTA_DOMAIN + "/oauth2/v1/authorize",
            "server_metadata_url": OKTA_DOMAIN
            + "/.well-known/openid-configuration",
        },
    },
]

-- if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
-- force users to re-auth after 3hours of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = int(get_env_variable("USER_IDLE_SESSION_TIME", 10800))
-- okta user groups to SuperSet role mapping
AUTH_ROLES_MAPPING = {
    "SUPERSET_PUBLIC": ["Public", "Alpha", "Gamma", "sql_lab"],
    "SUPERSET_ADMINS": ["Admin"],
}
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
@sfirke
Copy link
Member

sfirke commented Oct 15, 2023

Possible duplicate of #24579. Between 2.1.0 and 3.0.0 several security settings were tightened by default. If you weren't specifying these, perhaps that's the issue. See the workarounds discussed in that thread.

@codebat-hasan
Copy link 

# Create a custom view to authenticate the user
  AuthRemoteUserView=BaseSecurityManager.authremoteuserview
  class CustomAuthUserView(AuthRemoteUserView):
      @expose('/login/')
      def login(self):
          token = request.args.get('token')
          next = request.args.get('next')
          sm = self.appbuilder.sm
          session = sm.get_session
          user = session.query(sm.user_model).filter_by(username='admin').first()
          if token == 'some token':
              login_user(user, remember=False, force=True)
              if (next is not None):
                  return redirect(next)
              else:
                  return redirect(self.appbuilder.get_url_for_index)
          else:
              flash('Unable to auto login', 'warning')
              return super(CustomAuthUserView,self).login()

I have added this code in my-values.yml file to create custom login with token but this login is not working with version 3.0.1 but it was perfectly working fine with version 2.0.

@rusackas
Copy link
Member

rusackas commented Apr 5, 2024

Are either of you (@arpitgargfk or @codebat-hasan) still facing issues here - it's been about 5 months, so I'm wondering if newer helm charts solved the problem or if you've moved on in some other way.

@arpitgargfk
Copy link
Author

We used #25374 (comment) and it worked, however we are still running with v2.1.0 in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rusackas @sfirke @arpitgargfk @codebat-hasan