aurokk opened a new pull request, #38469:
URL: https://github.com/apache/superset/pull/38469
### SUMMARY
When a user logs into Superset via OAuth, Superset already holds a valid
access token. Previously, connecting to a database that also requires OAuth
(e.g. Trino with impersonation) would trigger a second OAuth flow — forcing the
user to authenticate twice against the same provider.
This PR captures the upstream OAuth token at login time and reuses it for
database connections configured to accept it.
**How it works:**
- On login, `auth_user_oauth()` reads the full token from the FAB session
and saves it (encrypted) to a new `upstream_oauth_tokens` table.
- At query time, `Database._get_sqla_engine()` checks
`DATABASE_OAUTH2_UPSTREAM_PROVIDERS`. If the database is listed, it fetches the
stored token
(refreshing if expired) and passes it to `impersonate_user()`.
**Configuration (opt-in per database name):**
\```python
OAUTH_PROVIDERS = [{"name": "keycloak", "save_token": True, ...}]
DATABASE_OAUTH2_UPSTREAM_PROVIDERS = {"trino_prod": "keycloak"}
\```
### TESTING INSTRUCTIONS
1. Configure an OAuth provider and a database with token-based
impersonation:
\```python
OAUTH_PROVIDERS = [{"name": "keycloak", "save_token": True, ...}]
DATABASE_OAUTH2_UPSTREAM_PROVIDERS = {"trino_prod": "keycloak"}
\```
2. Log in via OAuth — token is silently saved to `upstream_oauth_tokens`.
3. Run a query against the configured database — should execute as the
logged-in user without a second OAuth redirect.
4. Let the access token expire; the next query should transparently
refresh it.
5. Run unit tests: `pytest tests/unit_tests/utils/oauth2_tests.py`
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [x] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [x] Migration is atomic, supports rollback & is backwards-compatible
- [x] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [x] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
