Re: [D] Apache Superset & Keycloak integration [superset]

Thu, 29 May 2025 16:01:34 -0700 


GitHub user PedroMartinSteenstrup added a comment to the discussion: Apache 
Superset & Keycloak integration

just FYI, you can make sure everything is well set up in Keycloak itself, and 
then just refer to the well-known endpoint. 
Start with allowing all origins and redirects, to make sure your code work, 
then you can restrict again.

Here is my working -but truncated- version, without installing any additional 
package such as `Flask-OIDC`:

```
class KeycloakSecurity(SupersetSecurityManager):
    """
    Create a new SecurityManager with own oauth_user_info to handle the 
information from Keycloak
    """

    def __init__(self, appbuilder):
        super(KeycloakSecurity, self).__init__(appbuilder)
        app = self.appbuilder.get_app
        app.config.setdefault("AUTH_ROLES_MAPPING", {})
        app.config.setdefault("AUTH_TYPE", AUTH_OAUTH)

    def oauth_user_info(self, provider, resp=None):
        if provider == "keycloak":
            log.debug("Keycloak response received : {0}".format(resp))
            log.debug("ID Token: %s", resp["id_token"])
            me = self.appbuilder.sm.oauth_remotes[provider].get(
                
f'https://<sso.domain.name>/auth/realms/<realm-name>/protocol/openid-connect/userinfo'
            )
            me.raise_for_status()
            data = me.json()
            log.debug("User info from Keycloak: %s", data)
            return {
                "name": data["name"],
                "email": data["email"],
                "first_name": data["given_name"],
                "last_name": data["family_name"],
                "id": data["preferred_username"],
                "username": data["preferred_username"],
                "role_keys": data["groups"]
            }

CUSTOM_SECURITY_MANAGER = KeycloakSecurity

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        "name": "keycloak",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "superset",
            "client_secret": os.getenv("OAUTH_CLIENT_SECRET", None),
            "client_kwargs": {"scope": "openid email groups"},
            "server_metadata_url": 
"https://<sso.domain.name>/auth/realms/<realm-name>/.well-known/openid-configuration"
        }
    }]
```

GitHub link: 
https://github.com/apache/superset/discussions/33623#discussioncomment-13315431

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to