custom OIDC provider RoleMapping #29770

MikhailKrivyakin · 2024-07-29T21:51:46Z

MikhailKrivyakin
Jul 29, 2024

Hello all!
I would be reallly thankfull for someones help. I`ve been trying to make superset work with my custom keycloak-like OIDC provider for few days and result is really disapointing.
I read this article.
https://superset.apache.org/docs/configuration/configuring-superset/#keycloak-specific-configuration-using-flask-oidc
I was able to login to superset using my provider, this is OK.
But i unable to map providerss groups to superset roles. Ive read many articles and tried amount of solutions but it seems like my custom-defined functions like oauth_user_info in my OIDCSecurityManager doesnt triggered at all (i tried to do some debug logging or even prints. It seems like for some reason my code doesnt use functions auth_user_oauth and _oauth_calculate_user_roles from BaseSecurityManager at all.
here is my code:
superset_config.py

from custom_security_manager import OIDCSecurityManager
from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
AUTH_TYPE = AUTH_OID
SECRET_KEY: 'secret'
OIDC_CLIENT_SECRETS =  '/app/docker/configs/client_secret.json'
OIDC_ID_TOKEN_COOKIE_SECURE = False
OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
OIDC_SCOPES = 'openid profile'
# Will allow user self registration, allowing to create Flask users from Authorized User
AUTH_USER_REGISTRATION = True
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = 'Gamma'
AUTH_ROLES_SYNC_AT_LOGIN = True
AUTH_ROLES_MAPPING = {
"superset_users": ["Gamma","Alpha"],
"superset_admins": ["Admin"],
}

blitz_security_manager.py:

from flask_appbuilder.security.manager import AUTH_OID
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user, logout_user
from urllib.parse import quote
from flask_appbuilder.views import ModelView, SimpleFormView, expose
from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Union
from flask import (
    redirect,
    request
)
import logging
class OIDCSecurityManager(SupersetSecurityManager):

    def __init__(self, appbuilder):
        super(OIDCSecurityManager, self).__init__(appbuilder)
        if self.auth_type == AUTH_OID:
            self.oid = OpenIDConnect(self.appbuilder.get_app)
        self.authoidview = AuthOIDCView
    def oauth_user_info(self, provider, response=None):
            logging.debug("Oauth2 provider: {0}.".format(provider))
            me = self.appbuilder.sm.oauth_remotes["blitz"].get('/me').data
            if provider == 'blitz':
                # As example, this line request a GET to base_url + '/' + userDetails with Bearer  Authentication,
                # and expects that authorization server checks the token, and response with user details
                me = self.appbuilder.sm.oauth_remotes[provider].get('/oauth/me').data
                logging.debug("ME:%s, me")
                logging.debug("user_data: {0}".format(me))
                return { 'name' : me['email'], 'email' : me['email'], 'id' : me['username'], 'username' : me['username'], 'first_name':'email', 'last_name':'surname', 'role_keys': me['groups']}   

class AuthOIDCView(AuthOIDView):

    @expose('/login/', methods=['GET', 'POST'])
    def login(self, flag=True):
        sm = self.appbuilder.sm
        oidc = sm.oid
        @self.appbuilder.sm.oid.require_login
        def handle_login():
            user = sm.auth_user_oid(oidc.user_getfield('email'))
            if user is None:
                info = oidc.user_getinfo(['first_name', 'last_name', 'family_name', 'email', 'groups'])
                user = sm.add_user(info.get('sub'), info.get('given_name'), info.get('family_name'),
                                  info.get('email'), sm.find_role('Gamma'))
            login_user(user, remember=False)
            return redirect(self.appbuilder.get_url_for_index)
        
        return handle_login()

    @expose('/logout/', methods=['GET', 'POST'])
    def logout(self):
        oidc = self.appbuilder.sm.oid
        oidc.logout()
        redirect_url = request.url_root.strip('/')
        client_id = oidc.client_secrets.get('client_id')
        return redirect(
            oidc.client_secrets.get('issuer') + '/logout?client_id=' + quote(client_id) + '&post_logout_redirect_uri=' + quote(redirect_url))

What am i doing wrong?
2. Also using OIDC i cannot logout from superset. Afterr being logged out from provider and redirected to superset, i still find myself logged in. Any solutions from google did not help me..
Hope for someones`s help :)

Answered by MikhailKrivyakin

Jan 9, 2025

Hi!
502 doesnt seem like something related to my problem to me.
But who knows. Now i ended up with following configuration:
Superset_config.py:


    ######################################################################
    #blitz_oauth
    ######################################################################
    from blitz_security_manager import OIDCSecurityManager
    from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
    import os
    AUTH_TYPE = AUTH_OID
    SECRET_KEY: ''
    OIDC_CLIENT_SECRETS =  '/app/docker/configs/client_secret.json'
    OIDC_ID_TOKEN_COOKIE_SECURE = False
    OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_…

View full answer

@MikhailKrivyakin · 2024-07-29T21:56:35Z

dosubot[bot]
bot Jul 29, 2024

Hey there, @MikhailKrivyakin! I'm here to help you out with any issues you're experiencing. Let's work together to solve this puzzle!

To address your issues with role mapping and logout in Superset using a custom OIDC provider, here are some suggestions:

Role Mapping Issue:
- Ensure that your custom security manager (OIDCSecurityManager) is correctly set in superset_config.py:
```
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
```
- Verify that the oauth_user_info method is correctly implemented and that the role_keys field in the returned dictionary matches the keys in your AUTH_ROLES_MAPPING.
- Check if the AUTH_ROLES_SYNC_AT_LOGIN is set to True to ensure roles are synced at login:
```
AUTH_ROLES_SYNC_AT_LOGIN = True
```
- Make sure the oauth_user_info method is being called by adding debug logs or print statements to confirm its execution.
Logout Issue:
- Ensure that the logout process invalidates the session in both Superset and the OIDC provider. You might need to customize the logout behavior in the AuthOIDCView class.
- You can use the @app.before_request and @app.after_request decorators to handle session invalidation, as suggested in a similar issue:
```
@app.before_request
def before_request():
    # Custom logic before each request

@app.after_request
def after_request(response):
    # Custom logic after each request
    return response
```

For more detailed guidance, you can refer to similar discussions and issues:

To continue talking to Dosu, mention @dosu.

0 replies

sule26 · 2025-01-09T15:16:42Z

sule26
Jan 9, 2025

@MikhailKrivyakin could you share your configs in keycloak ans superset? I can't find a way of integrate keycloak with superset. I always get "502 Bad Gateway"

1 reply

MikhailKrivyakin Jan 9, 2025
Author

Hi!
502 doesnt seem like something related to my problem to me.
But who knows. Now i ended up with following configuration:
Superset_config.py:


    ######################################################################
    #blitz_oauth
    ######################################################################
    from blitz_security_manager import OIDCSecurityManager
    from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
    import os
    AUTH_TYPE = AUTH_OID
    SECRET_KEY: ''
    OIDC_CLIENT_SECRETS =  '/app/docker/configs/client_secret.json'
    OIDC_ID_TOKEN_COOKIE_SECURE = False
    OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
    CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
    OIDC_SCOPES = 'openid profile'
    # Will allow user self registration, allowing to create Flask users from Authorized User
    AUTH_USER_REGISTRATION = True
    # The default user self registration role
    AUTH_USER_REGISTRATION_ROLE = 'Public'
    AUTH_ROLES_SYNC_AT_LOGIN = True

and security manager:

    from flask_appbuilder.security.manager import AUTH_OID
    from superset.security import SupersetSecurityManager
    from flask_oidc import OpenIDConnect
    from flask_appbuilder.security.views import AuthOIDView
    from flask_login import login_user
    from urllib.parse import quote
    from flask_appbuilder.views import ModelView, SimpleFormView, expose
    from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Union
    from flask import (
        redirect,
        request,
        session
    )
    import logging
    import sys
    from flask_jwt_extended import verify_jwt_in_request
    
    class OIDCSecurityManager(SupersetSecurityManager):

        def __init__(self, appbuilder):
            super(OIDCSecurityManager, self).__init__(appbuilder)
            if self.auth_type == AUTH_OID:
                self.oid = OpenIDConnect(self.appbuilder.get_app)
            self.authoidview = AuthOIDCView
        # custom function for OIDC roles_mapping. Just a copy/past from _oauth_calculate_user_roles
        def is_item_public(self, permission_name, view_name):
            verify_jwt_in_request(optional=True) # Attempt to parse any existing JWT and fail silently
            return super().is_item_public(permission_name, view_name)
        def _oid_calculate_user_roles(self, userinfo) -> List[str]:
            user_role_objects = set()
            # apply AUTH_ROLES_MAPPING
            if len(self.auth_roles_mapping) > 0:
                user_role_keys = userinfo.get("groups", [])
                user_role_objects.update(self.get_roles_from_keys(user_role_keys))

            # apply AUTH_USER_REGISTRATION_ROLE
            if self.auth_user_registration:
                registration_role_name = self.auth_user_registration_role

                # if AUTH_USER_REGISTRATION_ROLE_JMESPATH is set,
                # use it for the registration role
                if self.auth_user_registration_role_jmespath:
                    import jmespath

                    registration_role_name = jmespath.search(
                        self.auth_user_registration_role_jmespath, userinfo
                    )

                # lookup registration role in flask db
                fab_role = self.find_role(registration_role_name)
                logging.debug("fab_role %s",fab_role )
                if fab_role:
                    user_role_objects.add(fab_role)
                else:
                    logging.warning(
                        "Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name
                    )
            return list(user_role_objects)
    class AuthOIDCView(AuthOIDView):
        @expose('/login/', methods=['GET', 'POST'])
        def login(self, flag=True):
            sm = self.appbuilder.sm
            oidc = sm.oid
            @self.appbuilder.sm.oid.require_login
            def handle_login():
                user = sm.auth_user_oid(oidc.user_getfield('email'))
                # We already have this user in flask DB. If sync_at_login is True we`ll calculate new roles for gim
                if user and sm.auth_roles_sync_at_login:
                    info = oidc.user_getinfo(['first_name', 'last_name', 'family_name', 'email', 'groups'])
                    userRoles = sm._oid_calculate_user_roles(info)
                    logging.debug("Calculated new roles for user='%s' as: %s", info.get('username'), userRoles)
                    logging.debug("USER='%s", user)
                    user.roles = userRoles
                    sm.update_user(user)
                # # this user is new for flask DB. We will calculate his roles and add him to DB. Than login as usual
                if user is None:
                    info = oidc.user_getinfo(['first_name', 'last_name', 'family_name', 'email', 'groups'])
                    userRoles = sm._oid_calculate_user_roles(info)
                    logging.debug("Calculated  roles for new user='%s' as: %s", info.get('username'), userRoles)
                    # ZR
                    user = sm.add_user(info.get('username',''), info.get('name',''), info.get('surname',''),
                                    info.get('email',''), userRoles)
                login_user(user, remember=False)
                return redirect(self.appbuilder.get_url_for_index)      
            return handle_login()

        @expose('/logout/', methods=['GET', 'POST'])
        # @oidc.require_login
        def logout(self):
            oidc = self.appbuilder.sm.oid
            oidc.logout()
            super(AuthOIDCView, self).logout()
            redirect_url = request.url_root.strip('/')
            client_id = oidc.client_secrets.get('client_id')
            session.clear()
            return redirect(
                oidc.client_secrets.get('issuer') + '/logout?client_id=' + quote(client_id) + '&post_logout_redirect_uri=' + quote(redirect_url))

For me it covers good work with my provider and also OIDC roles mapping as well.
I hope it`ll help you)

Answer selected by MikhailKrivyakin

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

custom OIDC provider RoleMapping #29770

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

custom OIDC provider RoleMapping #29770

MikhailKrivyakin Jul 29, 2024

Replies: 2 comments · 1 reply

dosubot[bot] bot Jul 29, 2024

sule26 Jan 9, 2025

MikhailKrivyakin Jan 9, 2025 Author

MikhailKrivyakin
Jul 29, 2024

Replies: 2 comments 1 reply

dosubot[bot]
bot Jul 29, 2024

sule26
Jan 9, 2025

MikhailKrivyakin Jan 9, 2025
Author