I am running superset from a container on a server and I am trying to use GitHub OAuth for user signup/login.
Unfortunately I got it working to the point where I can see the "SIGN IN WITH GITHUB" button. However when I click it, the website populates a label that reads "The request to sign in was denied.".
Looking at the docker logs of the app, I've tracked down the issue to a Flask error:
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: redirect_uri_mismatch: The redirect_uri MUST match the registered callback URL for this application.
I'm not sure what I'm doing wrong. I believe it may be because I configured the wrong Authorization Callback URL when creating the OAuth app on GitHub. Does superset have a default Authorization Callback URL that I'm supposed to use? I have mine currently set as https://my-domain.com/oauth-authorized/github.
My other theory is that the custom_sso_security_manager.py
is not configured properly due to me using the default values. If that's the case, could anyone point me in the right direction?
Here is my superset config file:
from flask_appbuilder.security.manager import AUTH_OAUTH
from custom_sso_security_manager import CustomSsoSecurityManager
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{ 'name':'github',
'token_key':'access_token',
'icon':'fa-github',
'remote_app': {
'client_id':'"#############################',
'client_secret':'##############################',
'client_kwargs':{
'scope':'read'
},
'access_token_method':'POST',
'access_token_params':{
'client_id':'#############################'
},
'access_token_headers':{
'Authorization': 'Basic Base64EncodedClientIdAndSecret'
},
'api_base_url':'https://api.github.com/user',
'access_token_url':'https://github.com/login/oauth/access_token',
'authorize_url':'https://github.com/login/oauth/authorize',
'redirect_uri':'https://my-domain.com/oauth-authorized/github'
}
}
]
# Will allow user self registration, allowing to create Flask users from Authorized User
AUTH_USER_REGISTRATION = True
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = ["sql_lab","workshop"]
And here is my custom_sso_security_manager.py
:
import logging
from superset.security import SupersetSecurityManager
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
logging.debug("Oauth2 provider: {0}.".format(provider))
if provider == 'github':
# As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication,
# and expects that authorization server checks the token, and response with user details
me = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data
logging.debug("user_data: {0}".format(me))
return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':me['nickname'], 'last_name':me['nickname']}
You must have resolved your issue since, but I had the same issue so I share the solution.
The error
redirect_uri_mismatch
is caused by Superset not sending the sameredirect_uri
than the one configured in github. You can check in the web browser the realredirect_uri
sent to GitHub and check if it the right one.The parameter
redirect_uri
seems to be ignored by Superset we can omit it. The URL is created dynamically and might be different than expected. For example, if Superset is behind a reverse proxy that terminates the SSL connection, Superset will send ahttp://
URI instead ofhttps://
. By addingENABLE_PROXY_FIX = True
in the configuration, this issue is solved.Here is a working configuration example: