apache
Redirection after OAuth Login not working as expected
Redirection after OAuth Login not working as expected
We use Apache Superset together with Keycloak coupled by the Standard OAuth Integration. We would like to create deeplinks to dashboards, which are not public, from external tools. If these links are used, we would like to automatically forward to the Keycloak Instance to let the user login if needed. If an session already exists, the dashboards should be directly displayed.
We have also a public role, so it is clear, that superset will normally try to open the dashboard as public, if no session exists.
To work around this, we found out that it is possible to use the following base URL to enforce the login:
https://<superset_servername>/login/keycloak?next=<forwarding_url>
For the forwarding url we use an url-encoded dashboard url:
https%3A%2F%2F<superset_servername>%2Fsuperset%2Fdashboard%2Ftestdashboard%2F
Together this looks like this:
https://<superset_servername>/login/keycloak?next=https%3A%2F%2F<superset_servername>%2Fsuperset%2Fdashboard%2Ftestdashboard%2F
When we call this for the first time in a new privat mode window, this works perfectly fine. Keycloak Login Page opens, User logs in, Redirection takes place, the dashboard is displayed.
Every further try results in an error. Superset does not forward again to keycloak (this sound reasonable, because a session exists) but then it opens only the dashboard list and ignores the "next" parameter. Additionally an error is displayed, that the user has no permission for the dashboard.
The expectation would be, that also the dashboard opened.
We are looking for a solution to this - even a hint where this can be changed in the code would help . we could then provide a PR for that.
How to reproduce the bug
- Configure superset to use oauth
- Call a protected dashbaord like this: https://<superset_servername>/login/keycloak?next=https%3A%2F%2F<superset_servername>%2Fsuperset%2Fdashboard%2Ftestdashboard%2F
- Follow the process until dashboard is displayed
- Use exact URL from above again: https://<superset_servername>/login/keycloak?next=https%3A%2F%2F<superset_servername>%2Fsuperset%2Fdashboard%2Ftestdashboard%2F
- You are redirected to the dashboard list with an error displayed
Expected results
The called URL should always result in the opened dashboard
Actual results
The URL only works one time
Screenshots
Environment
- Tested with current Chrome and Firefox Browser Versions
- superset version:
2.1.0 - python version:
Python 3.8.18 - node.js version: -
- any feature flags active:
Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version of superset.
- [x] I have checked the issue tracker for the same issue and I haven't found one similar.
Additional context
nothing
Hello, thanks for raising this! I am in a similar situation, with public role enabled and that causing problems for my internal users who aren't yet logged in.
I hadn't thought of your idea to use next=, I tried to replicate it just now and can't -- though I'm using Superset 3.0.0 and Azure for OAuth and so maybe something is different.
Here's a similar discussion, containing some references to the codebase: https://github.com/apache/superset/discussions/22190#discussioncomment-4208478
And here's an incomplete PR that tried to address something similar: https://github.com/apache/superset/pull/23280
Thank you very much, on first impression https://github.com/apache/superset/pull/23280 looks like it could solve our issue too.
@michelbarnich are you still facing this issue?
Curious if @sfirke or @nytai see a way to steer this issue and/or PR toward resolution.
