GitHub user dosubot[bot] added a comment to the discussion: How to enable SSO login in Superset using Keycloak access token?
<!-- Greeting --> Hi @goliudaykumar! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Superset does not natively support logging in directly with a Keycloak access token (JWT) passed from your frontend. Instead, the recommended approach is to configure Superset as an OAuth2/OpenID Connect (OIDC) client with Keycloak. This way, when users access Superset, they are redirected to Keycloak for authentication, and Superset receives the necessary tokens to create a user session—no double login required if the user already has a Keycloak session. For Keycloak, you can use either the Authlib-based OAuth2 integration or, if you run into compatibility issues, the Flask-OIDC integration. Both approaches require configuring Superset to use Keycloak as the authentication provider and setting up a custom security manager if you need advanced behavior or user info mapping. You can find a detailed example of the Flask-OIDC approach (including a custom security manager and required config files) in the [official Superset documentation](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx#keycloak-specific-configuration-using-flask-oidc) and [this pull request](https://github.com/apache/superset/pull/30237). This setup allows Superset to validate the Keycloak-issued tokens and create user sessions automatically during the OAuth2/OIDC flow, but not from a token passed directly from your frontend. If you want to implement a custom flow where a token in the URL logs the user in, you would need to write a custom security manager and login view, as shown in [this discussion](https://github.com/apache/superset/discussions/32038), but this is not standard and requires extra care for security. Best practice is to use the standard OAuth2/OIDC redirect flow for SSO. Make sure your Superset instance is configured to use Keycloak as an OIDC provider, and users will get seamless SSO as long as they are already authenticated with Keycloak. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/abf404a8-942d-44f4-bd95-394e2ff95325?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36203) GitHub link: https://github.com/apache/superset/discussions/36203#discussioncomment-15024802 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
