superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

upgrade to superset 3.0.0 (helmchart 0.10.10) breaks okta integration (working in superset 2.1.0 helmchart 0.10.6)

Open arpitgargfk opened this issue 2 years ago • 3 comments

We are using okta integration in superset and it works perfectly in superset v 2.1.0 (we use helm chart 0.10.6). We use CustomSsoSecurityManager() for our okta integration and we have faced no issues so far. However recently we upgraded to superset v 3.0.0 via helmchart 0.10.10 and we found that our okta integration breaks. When we try to login to superset on clicking login option - we continue to get redirected back to login screen with below error mentioned in superset pod log (on kubernetes) Expected result - is that user should get logged to superset and should be able to access sqllab feature

Error in logs

ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response."

Okta configuration used in superset_config_overrides.py file are below

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider="okta", response=None):
        if provider == "okta":
            res = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
            me = res.json()
            -- if user is attached to a group that starts with superset
            -- use that group else use SUPERSET_PUBLIC
            superset_groups = []
            if "groups" in me:
                for g in me["groups"]:
                    if "SUPERSET" in g:
                        superset_groups.append(g)

            if not superset_groups:
                superset_groups.append("SUPERSET_PUBLIC")
            return {
                "username": me["email"],
                "name": me["name"],
                "email": me["email"],
                "first_name": me["given_name"],
                "last_name": me["family_name"],
                "role_keys": superset_groups,
            }

OKTA_DOMAIN = get_env_variable("OKTA_DOMAIN")
OKTA_KEY = get_env_variable("OKTA_KEY")
OKTA_SECRET = get_env_variable("OKTA_SECRET")
AUTH_TYPE = AUTH_OAUTH
-- registration configs
AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB

the list of providers which the user can choose from
OAUTH_PROVIDERS = [
    {
        "name": "okta",
        "icon": "fa-circle-o",
        "token_key": "access_token",
        "remote_app": {
            "client_id": OKTA_KEY,
            "client_secret": OKTA_SECRET,
            "api_base_url": OKTA_DOMAIN + "/oauth2/v1/",
            "client_kwargs": {"scope": "openid profile email groups"},
            "access_token_url": OKTA_DOMAIN + "/oauth2/v1/token",
            "authorize_url": OKTA_DOMAIN + "/oauth2/v1/authorize",
            "server_metadata_url": OKTA_DOMAIN
            + "/.well-known/openid-configuration",
        },
    },
]

-- if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
-- force users to re-auth after 3hours of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = int(get_env_variable("USER_IDLE_SESSION_TIME", 10800))
-- okta user groups to SuperSet role mapping
AUTH_ROLES_MAPPING = {
    "SUPERSET_PUBLIC": ["Public", "Alpha", "Gamma", "sql_lab"],
    "SUPERSET_ADMINS": ["Admin"],
}
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

arpitgargfk avatar Oct 15 '23 08:10 arpitgargfk

Possible duplicate of https://github.com/apache/superset/issues/24579. Between 2.1.0 and 3.0.0 several security settings were tightened by default. If you weren't specifying these, perhaps that's the issue. See the workarounds discussed in that thread.

sfirke avatar Oct 15 '23 17:10 sfirke 

# Create a custom view to authenticate the user
  AuthRemoteUserView=BaseSecurityManager.authremoteuserview
  class CustomAuthUserView(AuthRemoteUserView):
      @expose('/login/')
      def login(self):
          token = request.args.get('token')
          next = request.args.get('next')
          sm = self.appbuilder.sm
          session = sm.get_session
          user = session.query(sm.user_model).filter_by(username='admin').first()
          if token == 'some token':
              login_user(user, remember=False, force=True)
              if (next is not None):
                  return redirect(next)
              else:
                  return redirect(self.appbuilder.get_url_for_index)
          else:
              flash('Unable to auto login', 'warning')
              return super(CustomAuthUserView,self).login()

I have added this code in my-values.yml file to create custom login with token but this login is not working with version 3.0.1 but it was perfectly working fine with version 2.0.

codebat-hasan avatar Oct 27 '23 11:10 codebat-hasan

Are either of you (@arpitgargfk or @codebat-hasan) still facing issues here - it's been about 5 months, so I'm wondering if newer helm charts solved the problem or if you've moved on in some other way.

rusackas avatar Apr 05 '24 19:04 rusackas

We used https://github.com/apache/superset/issues/25374#issuecomment-1735702931 and it worked, however we are still running with v2.1.0 in production.

arpitgargfk avatar Apr 09 '24 12:04 arpitgargfk