GitHub user dosubot[bot] added a comment to the discussion: Azure SSO
<!-- Greeting --> Hi @KodakMaciel! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The "upstream timed out" error during Azure SSO in Superset is usually caused by a network or configuration issue during the OAuth callback. Here’s how to troubleshoot and resolve it: 1. **Check network connectivity**: Make sure nginx can reach Superset at http://127.0.0.1:8080, and that Superset can access Azure endpoints (login.microsoftonline.com and graph.microsoft.com). Any firewall or DNS issue can cause timeouts. 2. **Review Superset logs**: Look for errors or stack traces in the Superset logs at the time of the timeout. This can reveal if the problem is with the token exchange, user info retrieval, or something else. 3. **Validate Azure app registration**: The redirect URI in Azure must match exactly what Superset uses (including protocol, domain, and path, e.g., `https://your-domain/oauth-authorized/azure`). Mismatches can cause the OAuth flow to hang or fail [example](https://github.com/apache/superset/discussions/34542). 4. **Proxy headers and ENABLE_PROXY_FIX**: You already have `ENABLE_PROXY_FIX = True`, which is correct. Ensure nginx forwards `X-Forwarded-Proto` and `Host` headers so Superset generates the correct redirect URIs. 5. **OAuth scopes and group claims**: Your scopes should include `openid email profile User.Read GroupMember.Read.All upn` to ensure Azure returns all necessary user and group info for role mapping [example](https://github.com/apache/superset/discussions/34608). Missing scopes or group claims can cause the callback to hang while waiting for a response. 6. **Test endpoint directly**: From the Superset host, try accessing the Azure endpoints (e.g., with `curl`) to confirm there’s no outbound network block. 7. **Custom security manager**: If your `oauth_user_info` method makes a slow or blocked request (like to `https://graph.microsoft.com/v1.0/me`), it can cause the timeout. Add logging/timing to this method to see if it’s the bottleneck. If you follow these steps, you should be able to pinpoint whether the timeout is due to network, configuration, or code. Most commonly, it’s a network/firewall issue or a misconfigured redirect URI or scope [reference](https://github.com/apache/superset/discussions/34542). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a2bad883-db76-4fe6-8978-e2c7dde36f78?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20%22upstream%20timed%20out%22%20error%20during%20Azure%20SSO%20in%20Superset%20is%20usually%20caused%20by%20a%20network%20or%20configuration%20issue%20during%20the%20OAuth%20callback.%20Here%E2%80%99s%20how%20to%20troubleshoot%20and%20resolve%20it%3A%0A%0A1.%20%2A%2ACheck%20network%20connectivity%2A%2A%3A%20Make%20sure%20nginx%20can%20reach%20Superset%20at%20http%3A//127.0.0.1%3A8080%2C%20and%20that%20Superset%20can%20access%20Azure%20endpoints%20%28login.microsoftonline.com%20and%20graph.microsoft.com%29.%20Any%20firewall%20or%20DNS%20issue%20can%20cause%20timeouts.%0A%0A2.%20%2A%2AReview%20Superset%20logs%2A%2A%3A%20Look%20for%20errors%20or%20stack%20traces%20in%20the%20Superset%20logs%20at%20the%20time%20of%20the%20timeout.%20This%20can%20reve al%20if%20the%20problem%20is%20with%20the%20token%20exchange%2C%20user%20info%20retrieval%2C%20or%20something%20else.%0A%0A3.%20%2A%2AValidate%20Azure%20app%20registration%2A%2A%3A%20The%20redirect%20URI%20in%20Azure%20must%20match%20exactly%20what%20Superset%20uses%20%28including%20protocol%2C%20domain%2C%20and%20path%2C%20e.g.%2C%20%60https%3A//your-domain/oauth-authorized/azure%60%29.%20Mismatches%20can%20cause%20the%20OAuth%20flow%20to%20hang%20or%20fail%C2%A0%5Bexample%5D%28https%3A//github.com/apache/superset/discussions/34542%29.%0A%0A4.%20%2A%2AProxy%20headers%20and%20ENABLE_PROXY_FIX%2A%2A%3A%20You%20already%20have%20%60ENABLE_PROXY_FIX%20%3D%20True%60%2C%20which%20is%20correct.%20Ensure%20nginx%20forwards%20%60X-Forwarded-Proto%60%20and%20%60Host%60%20headers%20so%20Superset%20generates%20the%20correct%20redirect%20URIs.%0A%0A5.%20%2A%2AOAuth%20scopes%20and%20group%20claims%2A%2A%3A%20Your%20scopes%20should%20include%20%60openid%20email%20profile%20User.Read%20GroupMember. Read.All%20upn%60%20to%20ensure%20Azure%20returns%20all%20necessary%20user%20and%20group%20info%20for%20role%20mapping%C2%A0%5Bexample%5D%28https%3A//github.com/apache/superset/discussions/34608%29.%20Missing%20scopes%20or%20group%20claims%20can%20cause%20the%20callback%20to%20hang%20while%20waiting%20for%20a%20response.%0A%0A6.%20%2A%2ATest%20endpoint%20directly%2A%2A%3A%20From%20the%20Superset%20host%2C%20try%20accessing%20the%20Azure%20endpoints%20%28e.g.%2C%20with%20%60curl%60%29%20to%20confirm%20there%E2%80%99s%20no%20outbound%20network%20block.%0A%0A7.%20%2A%2ACustom%20security%20manager%2A%2A%3A%20If%20your%20%60oauth_user_info%60%20method%20makes%20a%20slow%20or%20blocked%20request%20%28like%20to%20%60https%3A//graph.microsoft.com/v1.0/me%60%29%2C%20it%20can%20cause%20the%20timeout.%20Add%20logging/timing%20to%20this%20method%20to%20see%20if%20it%E2%80%99s%20the%20bottleneck.%0A%0AIf%20you%20follow%20these%20steps%2C%20you%20should%20be%20able%20to%20pinpoint%20whether%20the %20timeout%20is%20due%20to%20network%2C%20configuration%2C%20or%20code.%20Most%20commonly%2C%20it%E2%80%99s%20a%20network/firewall%20issue%20or%20a%20misconfigured%20redirect%20URI%20or%20scope%C2%A0%5Breference%5D%28https%3A//github.com/apache/superset/discussions/34542%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36870) GitHub link: https://github.com/apache/superset/discussions/36870#discussioncomment-15375773 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
