Custom OAuth issue

[victortony]

A clear and concise description of what the bug is.

hi, i configure my oauth login according to http://superset.apache.org/installation.html#custom-oauth2-configuration. Everything is right, but it turns wrong when the code runs at "oauth_authorized" method in views.py. The problem is all the args in functions "redirect" may be wrong, such as "redirect("login")", "redirect(next_url)". I think it would be "redirect(self.appbuilder.get_url_for_login)". And another question is the value of "nex_url" which is empty, and the correct value maybe "/superset/welcome". Would you please help me to solve this problem? Thank you.

Expected results

When success, rediect to "/superset/welcome".Otherwise, redirect to "self.appbuilder.get_url_for_login".
what you expected to happen.

Actual results

When success/failed, rediect to "/oauth-authorized/login"
what actually happens.

Environment

(please complete the following information):

• superset version: Superset 0.999.0dev
• python version: 3.6.6

How to reproduce the bug

click oauth login

Checklist

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.
2019-06-20 10:00:39,487:INFO:werkzeug:127.0.0.1 - - [20/Jun/2019 10:00:39] "GET /oauth-authorized/login HTTP/1.1" 500 -
Traceback (most recent call last):
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 2328, in call
return self.wsgi_app(environ, start_response)
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 2314, in wsgi_app
response = self.handle_exception(e)
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 1760, in handle_exception
reraise(exc_type, exc_value, tb)
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 2311, in wsgi_app
response = self.full_dispatch_request()
File "src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 1834, in full_dispatch_request
rv = self.handle_user_exception(e)
File "src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 1737, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 1832, in full_dispatch_request
rv = self.dispatch_request()
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask/app.py", line 1818, in dispatch_request
return self.view_functionsrule.endpoint
File "/src/superset/superset/venv/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 677, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
KeyError: 'login'

[issue-label-bot]

Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details.

[colax94]

I have the same issue after upgrading to 0.28.1, please help

[jtzl]

Same here, also 0.28.1. Also please help :)

Sorry, something went wrong
500 - Internal Server Error
Stacktrace
Traceback (most recent call last):
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/_compat.py", line 33, in reraise
raise value
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/home/superset/venv/lib64/python3.6/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/home/superset/venv/lib64/python3.6/dist-packages/flask_appbuilder/security/views.py", line 677, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
KeyError: 'login'

[ali-bahjati]

I'm facing same issue after updating my superset (last version was from more than a month ago)

I'm getting 'login' KeyError.

[ericandrewmeadows]

OAuth is working properly on v0.33.0rc1. Have you tried?

[squalou]

Juste tried 0.34 rc : facing the same issue.
(used to work fine with 0.28)

[squalou]

Note : I did a quick and really dirty as I'm running all this in a docker container.
I changed /usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py

around line 677

• hardcoded 'provider' to 'google' (its value is 'login' which is what causes the KeyError)
• hardcoded next_url to "/superset/welcome"

Does the job until something better fixes it.

[paulvic]

I'm seeing this too on 0.33.0rc1. I did a little digging today and found this PR dpgaspar/Flask-AppBuilder#910 which introduced redirects after login. I noticed that the next value on the login screen is set as follows:

Clicking on login, then redirects to /oauth-authorized/login.

If I logout and go back to the login screen and then manually set the next value in the console as follows:

...then I can login successfully.

Not sure if this is a superset or flask_appbuilder issue.

[paulvic]

I've seen a few comments here suggesting the fix didn't work for them. I don't see them any longer so hopefully they were just config/setup problems. It would great if anyone could give this a comment a 👍 or just add a comment if they've confirmed the issue is now resolved.

Thanks!

[thunter009]

I've seen a few comments here suggesting the fix didn't work for them. I don't see them any longer so hopefully they were just config/setup problems. It would great if anyone could give this a comment a 👍 or just add a comment if they've confirmed the issue is now resolved.

Thanks!

I deleted my comment because I was able to get it working. It seems like the change added a new issue of re-directing /users/list and /registeruser/list to the oauth login endpoint for some reason. I will open an issue in the FAB repo after a bit further investigation.

[tomklapka]

I'm getting the same error, using c566141

Sorry, something went wrong
500 - Internal Server Error
Stacktrace
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 677, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
KeyError: 'login'

#Gitlab oauth2 configuration.
from flask_appbuilder.security.manager import AUTH_OAUTH
from custom_sso_security_manager import CustomSsoSecurityManager
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Public'
OAUTH_PROVIDERS = [{
       'name': 'gitlab',
       'icon': 'fa-gitlab',
       'token_key': get_env_variable('GITLAB_TOKEN_KEY'),
       'remote_app': {
               'base_url': 'https://gitlab.com/api/v4/user',
               'request_token_params': {
                       'scope': 'openid read_user'
               },
               'access_token_url': 'https://gitlab.com/oauth/token',
               'authorize_url': 'https://gitlab.com/oauth/authorize',
               'request_token_method': 'GET',
               'access_token_method': 'POST',
               'consumer_key': get_env_variable('GITLAB_CONSUMER_KEY'),
               'consumer_secret': get_env_variable('GITLAB_CONSUMER_SECRET')
       }
}]

Not 100% sure about this custom oauth user info with regard to gitlab:

from superset.security import SupersetSecurityManager

class CustomSsoSecurityManager(SupersetSecurityManager):

    def oauth_user_info(self, provider, response=None):
        logging.debug("Oauth2 provider: {0}.".format(provider))
        if provider == 'gitlab':
            # As example, this line request a GET to base_url + '/' + userDetails with Bearer  Authentication,
            # and expects that authorization server checks the token, and response with user details
            me = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data
            logging.debug("user_data: {0}".format(me))
            return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''}

[amodig]

This issue seems to still exist. Just upgraded from 0.28.1 to 0.34.0.

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/gunicorn/workers/async.py", line 56, in handle
    self.handle_request(listener_name, req, client, addr)
  File "/usr/local/lib/python3.6/site-packages/gunicorn/workers/ggevent.py", line 160, in handle_request
    addr)
  File "/usr/local/lib/python3.6/site-packages/gunicorn/workers/async.py", line 107, in handle_request
    respiter = self.wsgi(environ, resp.start_response)
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2463, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.6/site-packages/werkzeug/middleware/proxy_fix.py", line 228, in __call__
    return self.app(environ, start_response)
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2449, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1866, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 677, in oauth_authorized
    resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
KeyError: 'login'

The most relevant part of superset_config.py:

AUTH_TYPE = AUTH_OAUTH
AUTH_ROLE_PUBLIC = 'Public'
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Gamma'
CSRF_ENABLED = True
ENABLE_PROXY_FIX = True
PREFERRED_URL_SCHEME = 'https'
OAUTH_PROVIDERS = [
    {
       'name': 'google',
       'whitelist': ['@armadainteractive.com'],
       'icon': 'fa-google',
       'token_key': 'access_token',
       'remote_app': {
            'base_url': 'https://www.googleapis.com/oauth2/v2/',
            'request_token_params': {
              'scope': 'email profile'
            },
            'request_token_url': None,
            'access_token_url': 'https://accounts.google.com/o/oauth2/token',
            'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
            'consumer_key': GOOGLE_OAUTH_KEY,
            'consumer_secret': GOOGLE_OAUTH_SECRET
        }
    }
]

[paulvic]

Just to be clear, the fix wasn't in the 0.34 release so you'll have to wait for the next release or deploy the latest source.

[amodig]

Sorry I wasn't clear. I bumped FAB to version 2.1.13 which didn't help. Was there any other commits to solve the issue?

There's also another login problem (maybe related?), the login redirects to http instead of https:

[tomklapka]

Just to be clear, the fix wasn't in the 0.34 release so you'll have to wait for the next release or deploy the latest source.

We're running it from latest master and issue still persists...

[dpgaspar]

Hi just made a simple test on flask-appbuilder with google oauth and it worked fine, I would say that this is more of a flask-appbuilder question/issue so feel free to open an issue there.

The above error seems more of a configuration issue setting your google oauth credentials

[tomklapka]

Could you share with us your working configuration? Thanks

[amodig]

The above error seems more of a configuration issue setting your google oauth credentials

Yeah, I know how it looks, but my Google OAuth config worked just fine with PyPI release 0.29.0rc7...

[dpgaspar]

@tomklapka, https://github.com/dpgaspar/Flask-AppBuilder/blob/master/examples/oauth/config.py#L42

I've removed the twitter and azure definitions and exported google OAuth secrets to the required env vars. One more this is a flask-appbuilder issue/question, feel free to open an issue over there

[parth-pb]

I am unable to log in to Apache Superset using Microsoft Azure AD. Here is my configuration. I am also able to see the Microsoft login page, but when I submit the button, Superset throws an error: 'Invalid login. Please try again

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
    "name": "azure",
    "icon": "fa-windows",
    "token_key": "access_token",
    "remote_app": {
        "client_id": os.environ.get("CLIENT_ID", ""),
        "client_secret": os.environ.get("CLIENT_SECRET", ""),
        "api_base_url": os.environ.get("API_BASE_URL", ""),
        "client_kwargs": {
            "scope": "User.read name preferred_username email profile upn",
            "resource": "client_id",
        },
        "request_token_url": None,
        "access_token_url": os.environ.get("ACCESS_TOKEN_URL", ""),
        "authorize_url": os.environ.get("AUTHORIZE_URL", ""),
    },

},
]