how to configure superset with keycloak

[ouadhi]

I am trying to add keycloak authentication any recommendation

[srinify]

Hi @ouadhi there aren't any templates off-hand for this in the Superset documentation (superset.apache.org/docs) but this StackOverflow answer might be helpful:

https://stackoverflow.com/a/47787279/963203

If you end up getting it working, we'd love to see you contribute the recipe to the documentation!

[ouadhi]

hi @srinify , it works perfectly now ,
first , i add flask-oidc==1.3.0 in requirement.test
in docker/pythonpath_dev create file kyecloack_securtiy_manager.py and add this code

rom flask_appbuilder.security.manager import AUTH_OID
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user
from urllib.parse import quote
from flask_appbuilder.views import ModelView, SimpleFormView, expose
import logging

class OIDCSecurityManager(SupersetSecurityManager):

    def __init__(self, appbuilder):
        super(OIDCSecurityManager, self).__init__(appbuilder)
        if self.auth_type == AUTH_OID:
            self.oid = OpenIDConnect(self.appbuilder.get_app)
        self.authoidview = AuthOIDCView

class AuthOIDCView(AuthOIDView):

    @expose('/login/', methods=['GET', 'POST'])
    def login(self, flag=True):
        sm = self.appbuilder.sm
        oidc = sm.oid

        @self.appbuilder.sm.oid.require_login
        def handle_login():
            user = sm.auth_user_oid(oidc.user_getfield('email'))

            if user is None:
                info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
                user = sm.add_user(info.get('preferred_username'), info.get('given_name'), info.get('family_name'),
                                   info.get('email'), sm.find_role('Gamma'))

            login_user(user, remember=False)
            return redirect(self.appbuilder.get_url_for_index)

        return handle_login()

    @expose('/logout/', methods=['GET', 'POST'])
    def logout(self):
        oidc = self.appbuilder.sm.oid

        oidc.logout()
        super(AuthOIDCView, self).logout()
        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login

        return redirect(
            oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))

create another json file "client_secret.json" contains keycloack configuration

{
    "web": {
        "issuer": "http://keyclaokdomain/auth/realms/<realmName>",
        "auth_uri": "http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/auth",
        "client_id": "<ClientID>",
        "client_secret": "<Client Secret>",
        "redirect_uris": [
            "http://domaineApp/*"
        ],
        "userinfo_uri": "http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/userinfo",
        "token_uri": "http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/token",
        "token_introspection_uri": "http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/token/introspect"
    }
}

finally in superset_config.py add lines

from kyecloack_securtiy_manager  import  OIDCSecurityManager
from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
import os
'''
---------------------------KEYCLOACK ----------------------------
'''
curr  =  os.path.abspath(os.getcwd())
AUTH_TYPE = AUTH_OID
SECRET_KEY: 'SomethingNotEntirelySecret'
OIDC_CLIENT_SECRETS =  curr + '/pythonpath/client_secret.json'
OIDC_ID_TOKEN_COOKIE_SECURE = False
OIDC_REQUIRE_VERIFIED_EMAIL = False
OIDC_OPENID_REALM: 'realm1'
OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Gamma'
'''
--------------------------------------------------------------
'''

[aidatabases]

In superset_config.py

This works: OIDC_CLIENT_SECRETS = curr + '/docker/pythonpath_dev/client_secret.json'

instead of: OIDC_CLIENT_SECRETS = curr + '/pythonpath/client_secret.json'

--
Btw thanks, it really helped my use case

[rahul149386]

@ouadhi, @aidatabases @cemremengu I followed your comments, made the changes accordingly.
but when I visit the http://:8088/login it is redirecting me to keycloack for openId auth. When we give credentials in keycloak page. noticing keycloak able send to superset oidc_callback with GET/oidc_callback?state=XXXXX. Keycloak and superset installed on same DNS.

But I'm getting below error. Anyone kindly help me to resolve this

[saatvikrk]

After the code change I am able to see the keycloak login screen

After providing the credentials I am seeing the below error

Any help would be greatly appreciated.

[saatvikrk]

@ouadhi, @aidatabases @cemremengu I followed your comments, made the changes accordingly. but when I visit the http://:8088/login it is redirecting me to keycloack for openId auth. When we give credentials in keycloak page. noticing keycloak able send to superset oidc_callback with GET/oidc_callback?state=XXXXX. Keycloak and superset installed on same DNS.

But I'm getting below error. Anyone kindly help me to resolve this

@rahul, are you able to fix the connectivity issue you mentioned acove ?

[saatvikrk]

After the code change I am able to see the keycloak login screen

After providing the credentials I am seeing the below error

Any help would be greatly appreciated.

My keycloak is running outside of docker and superset is running inside docker container , so when keycloak redirect to superset after authentication I am still calling the localhost rather than calling container ip running in the docker.

[Synarcs]

@ouadhi I followed the same but when I visit the http://:8088/login it is not redirecting me to keycloack for openId auth rather its appending URL like http://:8088/login/<keycloak_domain>:8080/. are there any specific config needed n keyclaok because the oidc callback url is not redirecting to superset home page.
I am using jboss/keycloak latest docker image
Docker based superset version 1.1.0
Please can someone help regarding this issue

[ouadhi]

hi @vedangparasnis maybe is less configuration in your keycloak and i think it is necessary when you use Docker add host configuration in docker run

[Synarcs]

@ouadhi i tried used a barebone keycloak setup using standalone.sh -b 0.0.0.0 and my keycloak started on host ip of instance. My Superset is running on a different instance with default docker-compose-non-dev.yml in superset.
But When i hit http://:8088/
It did append the same thing like
http://10.234.55.136:8088/10.234.57.13:8080/auth/realms/realm1/protocol/openid-connect/auth?client_id=sys&redirect_uri=http%3A%2F%2F10.234.55.136%3A8088%2Foidc_callback&scope=openid+email&access_type=offline&response_type=code&state=eyJjc3JmX3Rva2VuIjogInhGbU0zSzJwWkJtQ0p5SXRzZXFhamxVejlnNTFjZk5xIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6VXhNaUo5LkltaDBkSEE2THk4eE1DNHlNelF1TlRVdU1UTTJPamd3T0RndmJHOW5hVzR2SWcuNnAwdGlUWS1mVW1ZN281Z1F3WWxXdm1hVVFZQkw3Sl9HVjFCdGNnbm5IYnM4THI1bWk1SjJ0SmF5ZWV3dDVuQTJNY1pCcHY5UEUxVG5RTG9fLXg5NVEifQ%3D%3D

10.234.55.136 --> Superset Instance Ip
10.234.57.13 --> Keycloak IP

[rahul149386]

@vedangparasnis did you resolve your issue.If yes, let me know

[wiktor2200]

Hi! Is there anyone here who have tried pass: "client_secret": "<Client Secret>", using Vault by HashiCorp?
I'm facing some problems, I've added annotations for pods and vault should be accessible. Nevertheless I'm getting unauthorized error:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/app/superset_home/.local/lib/python3.8/site-packages/flask_oidc/__init__.py", line 650, in _oidc_callback
    credentials = flow.step2_exchange(code)
  File "/app/superset_home/.local/lib/python3.8/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/app/superset_home/.local/lib/python3.8/site-packages/oauth2client/client.py", line 2089, in step2_exchange
    raise FlowExchangeError(error_msg)
oauth2client.client.FlowExchangeError: unauthorized_clientInvalid client secret

The whole flow of keycloak works well, I've tried to add client_secret with plain text and it works.

[nathanielread]

I may have done something wrong, but to get around an error:

ModuleNotFoundError: No module named 'flask_oidc'

I added this line:

pip install flask-oidc==1.3.0

in the docker-bootstrap.sh file about here:
https://github.com/apache/superset/blob/master/docker/docker-bootstrap.sh#L36

To check it is running, add an echo before it like:

echo "Installing flask_oidc"

Hope that helps someone else.

Or if someone can tell me why I don't need to do that and should instead do another thing, please let me know.

Otherwise, I'm able to login with keycloak and it adds my user from the login.

[wiktor2200]

Hi! In post: #13915 (comment)
It was mentioned in second line:

first , i add flask-oidc==1.3.0 in requirement.test

flask-oidc is needed to OIDC in general and as it is module you have to attach it only when needed :)

When using helm-chart you can place it there: https://github.com/apache/superset/blob/master/helm/superset/values.yaml#L38

[nathanielread]

Thanks, @wiktor2200 .

Where's the correct place when using docker?

[wiktor2200]

I guess in ./docker/requirements-local.txt file.
Here's the manual: https://github.com/apache/superset/tree/master/docker#local-packages

Then the file which you will create is defined here: LINK1 and used in this if clause: LINK2

[marvincorreia]

I managed to solve the integration and Its working like a charm, check the code in github superset-keycloak

[ancogamer]

what exactly you want to configure? exemplary oidc flask appbuilder SecurityManager (which is what SupersetSecurityManager is built on) configuration can be found here: https://github.com/dpgaspar/Flask-AppBuilder/blob/master/examples/oauth/config.py

Hi can you show a example about where this code should go ?

[Hokwang]

@mgorsk1 do you use keycloak group mapping to superset role ? if then, please let me know.

[mgorsk1]

not really @Hokwang, we have default superset role assigned on account creation (first login) and then every user has same role, access to data is achieved through user impersonation.

[mgorsk1]

@ancogamer this code should go to superset_config.py module that is available under PYTHONPATH when running superset

[ancogamer]

@ancogamer this code should go to superset_config.py module that is available under PYTHONPATH when running superset

Thanks :)