GitHub user dosubot[bot] added a comment to the discussion: Superset login with SSO
<!-- Answer --> Your approach—using a custom Flask blueprint to handle JWT-based SSO authentication from Keycloak, validating the token via a backend API, and logging in or creating users in Superset—is an acceptable and supported way to extend authentication in Superset. ### Acceptability of Your Approach Superset is designed to be extensible in terms of authentication. Creating a custom authentication view or security manager is a documented and community-accepted pattern. For example, you can subclass `AuthDBView` or extend `SupersetSecurityManager` to implement custom logic for login, user creation, and session handling. This is similar to your approach and is considered a best practice for custom auth flows in Superset [[discussion](https://github.com/apache/superset/discussions/32038)]. ### Known Issues or Edge Cases - There are no specific, documented issues or edge cases with overriding authentication flows in this way. However, you should ensure your custom endpoint: - Handles CSRF and session fixation risks appropriately. - Properly manages user creation and updates to avoid orphaned or duplicate users. - Integrates with Flask-Login and Superset’s session management to ensure users remain authenticated across requests [[config reference](https://github.com/apache/superset/blob/master/superset/config.py)]. - If you bypass Superset’s built-in OIDC/OAuth, you are responsible for all aspects of token validation, user provisioning, and session lifecycle. ### Upstreaming as a Supported Auth Extension Pattern There are no explicit proposals or discussions about upstreaming this exact pattern into Superset core. However, the community does support and document the use of custom security managers and authentication views for advanced use cases. If you believe your pattern is broadly useful, you could propose it as a feature or contribute documentation, but currently, this is handled at the customization level rather than as a built-in extension point [[discussion](https://github.com/apache/superset/discussions/32038)]. ### Guidance on Session Management and Role Mapping - **Session Management:** Superset uses Flask and Flask-Login for session management. After calling `login_user(user)`, the session is managed via cookies. You can configure server-side sessions if needed (e.g., with Redis) using the `SESSION_SERVER_SIDE` setting [[config reference](https://github.com/apache/superset/blob/master/superset/config.py)]. - **Role Mapping:** You can map external roles (from Keycloak or your backend API) to Superset roles using the `AUTH_ROLES_MAPPING` configuration. This allows you to translate roles from your SSO provider to Superset’s RBAC system without needing a custom security manager for mapping alone [[role mapping](https://github.com/apache/superset/discussions/32622)]. - **User Provisioning:** Assign default roles to new users with `AUTH_USER_REGISTRATION_ROLE`. For more advanced mapping, you can extend the security manager and override methods like `oauth_user_info` to handle custom logic [[custom manager example](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx)]. ### References & Examples - [Custom authentication view example](https://github.com/apache/superset/discussions/32038) - [Role mapping discussion](https://github.com/apache/superset/discussions/32622) - [Superset configuration reference](https://github.com/apache/superset/blob/master/superset/config.py) - [Custom security manager example](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx) If you need more detailed code examples or have specific integration questions, let me know! <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://go.dosu.dev/dosubot), mention @dosu-bot.* --- <sup>Help Dosu learn! Give it feedback: [Great Response](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=great_response) | [Irrelevant Answer](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=irrelevant_answer) | [Incorrect Sources](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=incorrect_sources) | [Too Verbose](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=hallucination) | [Bug Report](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/64e7290e-b671-43ee-9219-55ff917d2fae?feedback_type=other)</sup> GitHub link: https://github.com/apache/superset/discussions/33571#discussioncomment-13244314 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
