GitHub user dosubot[bot] added a comment to the discussion: Title: OAuth/OIDC Access Token (RS256) Rejected by /api/v1/security/csrf_token/ with "The specified alg value is not allowed
<!-- Answer --> You're correct—Superset's API authentication (including `/api/v1/security/csrf_token`) only accepts HS256-signed JWTs issued by Superset itself (via the `/api/v1/security/login` endpoint with "db" or "ldap" providers). This is enforced by the authentication middleware and is not configurable; RS256-signed tokens from external OIDC providers like Zitadel are rejected with "The specified alg value is not allowed" because only HS256 is allowed for API Bearer tokens. This is separate from the UI login flow, which does support RS256 for OIDC/OAuth logins, but those tokens are not valid for API authentication [citation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py). There is no current or planned support for using custom OAUTH providers (like Zitadel) for API authentication, and no configuration or feature flag enables this. Creating a new endpoint for dashboard uploads that verifies a PAT directly cannot be done via `superset_config.py`; it would require code changes. No known workarounds or solutions have been documented for this issue, and similar problems have not been solved in the community or documentation. For API automation, the only supported approach is to use DB/LDAP users to obtain Superset-issued tokens. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/8919fd8c-e768-4e18-a2f5-159a01ec07d2?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35281) GitHub link: https://github.com/apache/superset/discussions/35281#discussioncomment-14523091 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
