marcocharlie opened a new issue, #34159:
URL: https://github.com/apache/superset/issues/34159
### Bug description
Superset version 4.1.1 installed on Kubernetes via Helm.
Nginx + AWS ALB.
Access to Superset via Keycloak. Below is my configuration:
```
class CustomAuthOAuthView(AuthOAuthView):
@expose('/logout/')
def logout(self):
logout_user()
session.clear()
return redirect(self.appbuilder.get_url_for_index)
class KeycloakSecurityManager(SupersetSecurityManager):
def __init__(self, appbuilder):
super().__init__(appbuilder)
def oauth_user_info(self, provider, response=None):
me =
self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo")
me.raise_for_status()
data = me.json()
logging.debug("User info from Keycloak: %s", data)
return {
"username": data.get("preferred_username", ""),
"first_name": data.get("given_name", ""),
"last_name": data.get("family_name", ""),
"email": data.get("email", ""),
"role_keys": data.get("resource_access",
{}).get("${OIDC_CLIENT}", {}).get("roles", []),
}
authoauthview = CustomAuthOAuthView
ENABLE_PROXY_FIX = True
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"
OAUTH_PROVIDERS = [
{
"name": "keycloak",
"icon": "fa-key",
"token_key": "access_token",
"remote_app": {
"client_id": "${CLIENT_ID}",
"client_secret": "${CLIENT_SECRET}",
"client_kwargs": {
"scope": "openid profile email",
},
"api_base_url":
"https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect";,
"authorize_url":
"https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth";,
"access_token_url":
"https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token";,
"jwks_uri":
"https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs";,
"userinfo_url":
"https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo";,
"client_kwargs": {
"scope": "openid profile email"
},
"authorize_params": {
"redirect_uri":
"https://${SUPERSET_DOMAIN}/oauth-authorized/keycloak";
},
"access_token_params": {
"redirect_uri":
"https://${SUPERSET_DOMAIN}/oauth-authorized/keycloak";
}
},
}
]
AUTH_ROLES_SYNC_AT_LOGIN = True
CUSTOM_SECURITY_MANAGER = KeycloakSecurityManager
```
My problem is the user gets an error on first login attempt. The UI states
`The request to sign in was denied`.
<img width="1643" height="302" alt="Image"
src="https://github.com/user-attachments/assets/e7470f84-1df1-4b31-9e2c-5f141aae361a";
/>
Logs:
```
2025-07-14 15:21:38,103:DEBUG:flask_appbuilder.security.views:Provider:
keycloak
2025-07-14 15:21:38,104:DEBUG:flask_appbuilder.security.views:Going to call
authorize for: keycloak
20.10.253.173 - - [14/Jul/2025:15:21:38 +0000] "GET /login/keycloak?next=
HTTP/1.1" 302 953 "https://<SUPERSET_DOMAIN>/login/"
2025-07-14 15:21:38,241:DEBUG:flask_appbuilder.security.views:Authorized init
2025-07-14 15:21:38,243:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14
15:21:38,279:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "POST
/auth/realms/<MY_REALM>/protocol/openid-connect/token HTTP/1.1" 200 4282
2025-07-14 15:21:38,282:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:21:43,296:ERROR:flask_appbuilder.security.views:Error
authorizing OAuth access token: ('Connection aborted.',
RemoteDisconnected('Remote end closed connection without response'))
20.10.253.173 - - [14/Jul/2025:15:21:43 +0000] "GET
/oauth-authorized/keycloak?state=<STATE>&session_state=<SESSION_STATE>&iss=https%3A%2F%2F<KEYCLOAK_DOMAIN>%2Fauth%2Frealms%2F<KEYCLOAK_REALM>&code=<CODE>
HTTP/1.1" 302 201
2025-07-14 15:21:43,338:DEBUG:flask_appbuilder.security.views:Provider: None
```
Retrying immediately, after a couple of attempts, user info are returned
correctly and login is successfull. Logs:
```
2025-07-14 15:23:51,413:DEBUG:flask_appbuilder.security.views:Provider:
keycloak
2025-07-14 15:23:51,413:DEBUG:flask_appbuilder.security.views:Going to call
authorize for: keycloak
20.10.253.173 - - [14/Jul/2025:15:23:51 +0000] "GET /login/keycloak?next=
HTTP/1.1" 302 953 "https://<SUPERSET_DOMAIN>/login/"
2025-07-14 15:23:51,597:DEBUG:flask_appbuilder.security.views:Authorized init
2025-07-14 15:23:51,598:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14
15:23:51,672:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "POST
/auth/realms/<MY_REALM>/protocol/openid-connect/token HTTP/1.1" 200 4282
2025-07-14 15:23:51,674:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14
15:23:51,701:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "GET
/auth/realms/<MY_REALM>/protocol/openid-connect/certs HTTP/1.1" 200 2933
2025-07-14 15:23:51,703:DEBUG:flask_appbuilder.security.views:OAUTH
Authorized resp: {'access_token': '<TOKEN>', 'expires_in': 300,
'refresh_expires_in': 16865, 'refresh_token': 'REFRESH_TOKEN>', 'token_type':
'Bearer', 'id_token': '<ID_TOKEN>', 'not-before-policy': 0, 'session_state':
'<STATE>', 'scope': 'openid email profile', 'expires_at': 1752506931,
'userinfo': {'exp': 1752506931, 'iat': 1752506631, 'auth_time': 1752480296,
'jti': '<JTI>', 'iss': 'https://<KEYCLOAK_DOMAIN>/auth/realms/<MY_REALM>',
'aud': 'superset', 'sub': '<SUB>', 'typ': 'ID', 'azp': 'superset', 'nonce':
'<NONCE>', 'sid': '<SID>', 'at_hash': '<HASH>', 'acr': '0', 'email_verified':
True, 'name': '<NAME>', 'preferred_username': '<USERNAME>', 'given_name':
'<NAME>', 'family_name': '<SURNAME>', 'email': '<EMAIL>'}}
2025-07-14 15:23:51,704:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14
15:23:51,760:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "GET
/auth/realms/<MY_REALM>/protocol/openid-connect/userinfo HTTP/1.1" 200 668
2025-07-14 15:23:51,761:DEBUG:flask_appbuilder.security.views:User info
retrieved from keycloak: {'username': '<USERNAME>', 'first_name': '<NAME>',
'last_name': '<LASTNAME>', 'email': '<EMAIL>', 'role_keys': ['admin']}
2025-07-14 15:23:51,761:DEBUG:flask_appbuilder.security.views:No whitelist
for OAuth provider
2025-07-14 15:23:51,776:DEBUG:flask_appbuilder.security.manager:Calculated
new roles for user='<USERNAME>' as: [Admin]
2025-07-14 15:23:51,783:INFO:flask_appbuilder.security.sqla.manager:Updated
user <USER>
````
I tried to add:
```
PROXY_FIX_CONFIG = {
"x_proto": 1,
"x_host": 1,
"x_prefix": 1,
}
PREFERRED_URL_SCHEME = "https"
SESSION_COOKIE_SECURE = True
```
but the problem persists.
Has anyone encountered this type of problem before?
### Screenshots/recordings
_No response_
### Superset version
master / latest-dev
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [x] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
