GitHub user dosubot[bot] added a comment to the discussion: Title: OAuth/OIDC Access Token (RS256) Rejected by /api/v1/security/csrf_token/ with "The specified alg value is not allowed
<!-- Answer --> Superset has two separate authentication flows: the UI login flow supports OAuth/OIDC providers and accepts RS256 tokens (like those from Zitadel), but API endpoints—including `/api/v1/security/csrf_token`—only recognize HS256-signed JWTs issued by Superset itself. This is enforced by the API authentication logic, which does not validate or accept external OAuth tokens for Bearer authentication. As a result, OAuth tokens work for human (UI) login but are rejected by the API because only Superset-native HS256 tokens are allowed for API access [see code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/api.py). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a615e53d-562b-46cf-af33-4d1d2a70734d?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35281) GitHub link: https://github.com/apache/superset/discussions/35281#discussioncomment-14552116 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
