GitHub user dosubot[bot] added a comment to the discussion: How to customize authentication in version 6
<!-- Answer --> Excellent, I'm glad we got it working! Thanks for sharing your final solution - this will be helpful for others hitting the same issue. Your approach of using `FLASK_APP_MUTATOR` with `before_request` and accessing the security manager directly via `app.appbuilder.sm` (instead of through the LocalProxy) is the key insight that avoids the session/context issues we were hitting with `request_loader`. I agree that this workaround should be documented. The AUTH_REMOTE_USER authentication flow changed significantly in v6 due to the Flask-AppBuilder 5.x upgrade, and the previous patterns (overriding `authremoteuserview` or `request_loader`) no longer work reliably. There are [open issues tracking these regressions](https://github.com/apache/superset/issues/36117), so hopefully the maintainers can address this more cleanly in a future release. For anyone else finding this thread, the key points are: 1. Don't override `authremoteuserview` or `request_loader` in Superset 6 2. Use `FLASK_APP_MUTATOR` to register a `before_request` handler 3. Access the security manager via `app.appbuilder.sm`, not `self` or the LocalProxy 4. Use `sm.session` (not `db.session` or `get_session`) for database operations 5. Call `sm.session.commit()` explicitly after `add_user()` Thanks for persisting through the debugging - your working example will help others migrating to v6! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4f40e873-b861-496f-ae50-927aa3b74f47?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Excellent%2C%20I%27m%20glad%20we%20got%20it%20working%21%20Thanks%20for%20sharing%20your%20final%20solution%20-%20this%20will%20be%20helpful%20for%20others%20hitting%20the%20same%20issue.%0A%0AYour%20approach%20of%20using%20%60FLASK_APP_MUTATOR%60%20with%20%60before_request%60%20and%20accessing%20the%20security%20manager%20directly%20via%20%60app.appbuilder.sm%60%20%28instead%20of%20through%20the%20LocalProxy%29%20is%20the%20key%20insight%20that%20avoids%20the%20session/context%20issues%20we%20were%20hitting%20with%20%60request_loader%60.%0A%0AI%20agree%20that%20this%20workaround%20should%20be%20documented.%20The%20AUTH_REMOTE_USER%20authentication%20flow%20changed%20significantly%20in%20v6%20due%20to%20the%20Flask-AppBuilder%205.x%20upgrade%2C%20and% 20the%20previous%20patterns%20%28overriding%20%60authremoteuserview%60%20or%20%60request_loader%60%29%20no%20longer%20work%20reliably.%20There%20are%20%5Bopen%20issues%20tracking%20these%20regressions%5D%28https%3A//github.com/apache/superset/issues/36117%29%2C%20so%20hopefully%20the%20maintainers%20can%20address%20this%20more%20cleanly%20in%20a%20future%20release.%0A%0AFor%20anyone%20else%20finding%20this%20thread%2C%20the%20key%20points%20are%3A%0A1.%20Don%27t%20override%20%60authremoteuserview%60%20or%20%60request_loader%60%20in%20Superset%206%0A2.%20Use%20%60FLASK_APP_MUTATOR%60%20to%20register%20a%20%60before_request%60%20handler%0A3.%20Access%20the%20security%20manager%20via%20%60app.appbuilder.sm%60%2C%20not%20%60self%60%20or%20the%20LocalProxy%0A4.%20Use%20%60sm.session%60%20%28not%20%60db.session%60%20or%20%60get_session%60%29%20for%20database%20operations%0A5.%20Call%20%60sm.session.commit%28%29%60%20explicitly%20after%20%60add_user%28%29%60%0A%0AThanks%20for%20persisting% 20through%20the%20debugging%20-%20your%20working%20example%20will%20help%20others%20migrating%20to%20v6%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38199) GitHub link: https://github.com/apache/superset/discussions/38199#discussioncomment-15905334 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
