GitHub user dosubot[bot] added a comment to the discussion: Using Keycloak as identity provider wihtout role mappings (manage roles inside superset - like google oauth2)
<!-- Answer --> Yes, you can use Keycloak as an identity provider for authentication only and manage all roles inside Superset, just like with Google OAuth2. This is a supported and common setup in Supersetārole mapping from Keycloak is optional, and you can assign and manage roles entirely within Superset if you prefer [source](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx#L298-L510). **How to configure:** 1. In your `superset_config.py`, set: ```python AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Gamma" # or "Admin" or any role you want as default AUTH_ROLES_SYNC_AT_LOGIN = False # prevents roles from being reset on login ``` 2. Make sure your custom security manager (e.g., `CustomSsoSecurityManager` or `OIDCSecurityManager`) is correctly registered via `CUSTOM_SECURITY_MANAGER` and that its `oauth_user_info` method extracts at least `username`, `email`, and `id` from the Keycloak userinfo endpoint [source](https://github.com/apache/superset/discussions/34659). Example: ```python class CustomSsoSecurityManager(SupersetSecurityManager): def oauth_user_info(self, provider, response=None): if provider == "keycloak": me = self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo").json() return { "username": me.get("preferred_username"), "email": me.get("email"), "first_name": me.get("given_name", ""), "last_name": me.get("family_name", ""), "id": me.get("sub"), } ``` 3. Do **not** set `AUTH_ROLES_MAPPING` if you want to manage roles only inside Superset. **Why you see "You are not authorized":** - This usually means the user is authenticated but does not have a valid role in Superset. It can happen if user registration is not enabled, the default role does not have sufficient permissions, or the user info extraction is incomplete (missing username/email/id) [source](https://github.com/apache/superset/issues/32287). - If you manually assign a role in the Superset UI or DB, make sure `AUTH_ROLES_SYNC_AT_LOGIN` is `False`, or Superset will overwrite your changes on each login [source](https://github.com/apache/superset/issues/32279). **Troubleshooting:** - After logging in with Keycloak, check the Superset user list to confirm the user is created and has the expected role. - If the user is not created, double-check your `oauth_user_info` method and Keycloak client configuration (redirect URIs, client secret, etc.). - If you see redirect loops or "request to sign in was denied", check your Keycloak client settings and network connectivity (especially if running in Docker) [source](https://github.com/apache/superset/issues/32287). **References and examples:** - [Superset Keycloak OIDC config example](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx#keycloak-specific-configuration-using-flask-oidc) - [Discussion: Keycloak SSO and role management](https://github.com/apache/superset/discussions/34659) - [Troubleshooting Keycloak OAuth login](https://github.com/apache/superset/issues/32287) Let me know if you want a full working example for your `superset_config.py` or custom security manager! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/33d746b0-64ac-449b-b512-9d829ae6d721?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Yes%2C%20you%20can%20use%20Keycloak%20as%20an%20identity%20provider%20for%20authentication%20only%20and%20manage%20all%20roles%20inside%20Superset%2C%20just%20like%20with%20Google%20OAuth2.%20This%20is%20a%20supported%20and%20common%20setup%20in%20Superset%E2%80%94role%20mapping%20from%20Keycloak%20is%20optional%2C%20and%20you%20can%20assign%20and%20manage%20roles%20entirely%20within%20Superset%20if%20you%20prefer%20%5Bsource%5D%28https%3A//github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx%23L298-L510%29.%0A%0A%2A%2AHow%20to%20configure%3A%2A%2A%0A%0A1.%20In%20your%20%60superset_config.py%60%2C%20set%3A%0A%20%20%20%60%60%60python%0A%20%20%20AUTH_USER_REGISTRATION%20%3D%20True%0A%20%20%20AUTH_USER_REGISTRATION_ROLE %20%3D%20%22Gamma%22%20%20%23%20or%20%22Admin%22%20or%20any%20role%20you%20want%20as%20default%0A%20%20%20AUTH_ROLES_SYNC_AT_LOGIN%20%3D%20False%20%20%23%20prevents%20roles%20from%20being%20reset%20on%20login%0A%20%20%20%60%60%60%0A2.%20Make%20sure%20your%20custom%20security%20manager%20%28e.g.%2C%20%60CustomSsoSecurityManager%60%20or%20%60OIDCSecurityManager%60%29%20is%20correctly%20registered%20via%20%60CUSTOM_SECURITY_MANAGER%60%20and%20that%20its%20%60oauth_user_info%60%20method%20extracts%20at%20least%20%60username%60%2C%20%60email%60%2C%20and%20%60id%60%20from%20the%20Keycloak%20userinfo%20endpoint%20%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/34659%29.%0A%0A%20%20%20Example%3A%0A%20%20%20%60%60%60python%0A%20%20%20class%20CustomSsoSecurityManager%28SupersetSecurityManager%29%3A%0A%20%20%20%20%20%20%20def%20oauth_user_info%28self%2C%20provider%2C%20response%3DNone%29%3A%0A%20%20%20%20%20%20%20%20%20%20%20if%20provider%20%3D%3D%20%22keycloak%22%3A%0A%20%20%2 0%20%20%20%20%20%20%20%20%20%20%20%20me%20%3D%20self.appbuilder.sm.oauth_remotes%5Bprovider%5D.get%28%22openid-connect/userinfo%22%29.json%28%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20return%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22username%22%3A%20me.get%28%22preferred_username%22%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22email%22%3A%20me.get%28%22email%22%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22first_name%22%3A%20me.get%28%22given_name%22%2C%20%22%22%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22last_name%22%3A%20me.get%28%22family_name%22%2C%20%22%22%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22id%22%3A%20me.get%28%22sub%22%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%60%60%60%0A%0A3.%20Do%20%2A%2Anot%2A%2A%20set%20%60AUTH_ROLES_MAPPING%60%20if%20you%20want%20to%20manage%20roles%20only%20inside%20Superset.%0A%0A%2A%2AWhy%20y ou%20see%20%22You%20are%20not%20authorized%22%3A%2A%2A%0A-%20This%20usually%20means%20the%20user%20is%20authenticated%20but%20does%20not%20have%20a%20valid%20role%20in%20Superset.%20It%20can%20happen%20if%20user%20registration%20is%20not%20enabled%2C%20the%20default%20role%20does%20not%20have%20sufficient%20permissions%2C%20or%20the%20user%20info%20extraction%20is%20incomplete%20%28missing%20username/email/id%29%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/32287%29.%0A-%20If%20you%20manually%20assign%20a%20role%20in%20the%20Superset%20UI%20or%20DB%2C%20make%20sure%20%60AUTH_ROLES_SYNC_AT_LOGIN%60%20is%20%60False%60%2C%20or%20Superset%20will%20overwrite%20your%20changes%20on%20each%20login%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/32279%29.%0A%0A%2A%2ATroubleshooting%3A%2A%2A%0A-%20After%20logging%20in%20with%20Keycloak%2C%20check%20the%20Superset%20user%20list%20to%20confirm%20the%20user%20is%20created%20and%20has%20the%20expected%20role.%0A-%20If% 20the%20user%20is%20not%20created%2C%20double-check%20your%20%60oauth_user_info%60%20method%20and%20Keycloak%20client%20configuration%20%28redirect%20URIs%2C%20client%20secret%2C%20etc.%29.%0A-%20If%20you%20see%20redirect%20loops%20or%20%22request%20to%20sign%20in%20was%20denied%22%2C%20check%20your%20Keycloak%20client%20settings%20and%20network%20connectivity%20%28especially%20if%20running%20in%20Docker%29%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/32287%29.%0A%0A%2A%2AReferences%20and%20examples%3A%2A%2A%0A-%20%5BSuperset%20Keycloak%20OIDC%20config%20example%5D%28https%3A//github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx%23keycloak-specific-configuration-using-flask-oidc%29%0A-%20%5BDiscussion%3A%20Keycloak%20SSO%20and%20role%20management%5D%28https%3A//github.com/apache/superset/discussions/34659%29%0A-%20%5BTroubleshooting%20Keycloak%20OAuth%20login%5D%28https%3A//github.com/apache/superset/issues/32287%29%0A%0ALet%20me%20 know%20if%20you%20want%20a%20full%20working%20example%20for%20your%20%60superset_config.py%60%20or%20custom%20security%20manager%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36242) GitHub link: https://github.com/apache/superset/discussions/36242#discussioncomment-15065112 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
