GitHub user dosubot[bot] added a comment to the discussion: Passing
authenticated user into Superset iFrame with Keycloak
<!-- Answer -->
To achieve your goal of embedding the entire Superset frontend in an iframe
without encountering the Superset or Keycloak login pages, and to map Keycloak
users to specific Superset roles, you can follow these steps:
1. **Use Keycloak for Authentication**: Since you are already using Keycloak
for authentication in your SvelteKit frontend, ensure that your Superset
instance is configured to use Keycloak as the identity provider. This involves
setting up the `keycloak_security_manager.py` and configuring
`superset_config.py` to use OpenID Connect with Keycloak.
2. **Session Management**: When a user logs in through your SvelteKit frontend,
you should manage the session such that the authentication state is shared with
the Superset iframe. This can be done by ensuring that the Keycloak session is
valid and accessible when the iframe is loaded.
3. **Avoiding the Login Page**: To bypass the login page in the Superset
iframe, you can use the Keycloak session token to authenticate the user
directly. This might involve customizing the Superset login flow to accept a
Keycloak token and establish a session without showing the login page.
4. **Role Mapping**: You can map Keycloak users to specific Superset roles
using the `AUTH_ROLES_MAPPING` configuration in Superset. This allows you to
assign roles based on Keycloak group memberships or claims. For example:
```python
AUTH_ROLES_MAPPING = {
"keycloak_group_name": ["SupersetRole"],
}
```
5. **Guest Token Consideration**: The Guest Token feature is typically used for
embedding specific dashboards and might not be suitable for your use case where
you want to embed the entire Superset frontend. Since you are using Keycloak
for authentication, focus on ensuring that the Keycloak session is recognized
by Superset.
By following these steps, you should be able to embed the Superset frontend in
your SvelteKit application without encountering login pages, while also
controlling access to dashboards based on user roles.
<!-- Dosu Comment Footer -->
*To continue talking to [Dosu](https://dosu.dev), mention @dosu.*
---
<sup>Help Dosu learn! Give it feedback: [Great
Response](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=great_response)
| [Irrelevant
Answer](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=irrelevant_answer)
| [Incorrect
Sources](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=incorrect_sources)
| [Too
Verbose](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=hallucination)
| [Bug
Report](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/476466a5-8382-4576-9397-d6d340c57abc?feedback_type=other)</sup>
GitHub link:
https://github.com/apache/superset/discussions/33151#discussioncomment-12856311
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
