Replies: 5 comments 23 replies
-
|
@gtg472b Curious if you got Superset integrated with Cognito? |
Beta Was this translation helpful? Give feedback.
-
|
@KentonParton @Apurv029 Sorry, I don't keep up with this very often. Did you figure it out? If not, what issue are you having? |
Beta Was this translation helpful? Give feedback.
-
Hey, we were trying to implement the same, if you could tag any links/documentation would be helpful! |
Beta Was this translation helpful? Give feedback.
-
|
@AdityaHegde23 there's a decent amount of documentation on Superset's website, did you already google it? At the time I posted this thread, there wasn't anything about the logout feature. https://superset.apache.org/docs/installation/configuring-superset/ |
Beta Was this translation helpful? Give feedback.
-
As of now, we've edited the superset_config.py and created a custom_sso_security_manager.py and added the required cognito userpool details necessery, from cognito side its working fine, but on the Superset we are still being directed to the superset default login/auth. I'm assuming our mistake is somewhere that custom_sso_security_manager.py is not getting executing and trying to figure out the same. |
Beta Was this translation helpful? Give feedback.
-
|
@AdityaHegde23 add this to the CustomSsoAuthOAuthView class and then it won't take you to the pick-an-sso page. In case it's not clear, this overrides the default flask login endpoint and forces it to use the cognito login |
Beta Was this translation helpful? Give feedback.
-
Can I get token before in CustomSsoAuthOAuthView before logout ?Help me please |
Beta Was this translation helpful? Give feedback.
-
|
Hey, I wanted to see if you can share with me instructions as to how did you integrate superset with Cognito. I’ve been troubleshooting this issue from last 15 days now. I’ll be thankful of any help |
Beta Was this translation helpful? Give feedback.
-
|
@gauravpareekk what have you already tried, and what errors are you getting? This pretty much has all of the info you need for the Superset side of things. You still have to set up Cognito on the AWS website. |
Beta Was this translation helpful? Give feedback.
-
However, with this config I'm seeing error "Platform not supported" |
Beta Was this translation helpful? Give feedback.
-
|
for one, What version of Superset are you using? I'm on 2.0.0rc1 or something around there. And where do you get that "Platform not supported" error? In your logs? In the browser? some more information would make this a whole lot easier to debug. |
Beta Was this translation helpful? Give feedback.
-
|
I'm using actual url like I had removed it due to privacy and I'm seeing Platform not supported in browser |
Beta Was this translation helpful? Give feedback.
-
|
@gtg472b why did you add time.sleep(1) in your custom logout code? |
Beta Was this translation helpful? Give feedback.
-
|
@mdeshmu I don't remember, I think it had something to do with the logout logic taking time for some reason and then the redirect not always working. Did you have issues if you tried it without the sleep? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @gtg472b, thanks for sharing. ➡️ Wondering what you used as the allowed callback url in Cognito? Wanted to use When changing my callback url to Here is my code (very close to what you shared):
from superset.security import SupersetSecurityManager
from flask_appbuilder.security.views import AuthOAuthView
from flask_appbuilder.baseviews import expose
import time
from flask import redirect
import logging
logger = logging.getLogger("CognitoSecurityManager")
class CustomSsoAuthOAuthView(AuthOAuthView):
@expose("/login/")
def login(self, provider="cognito"):
return super().login(provider=provider) #, register = None)
@expose("/logout/")
def logout(self, provider="cognito", register=None):
provider_obj = self.appbuilder.sm.oauth_remotes[provider]
url = ("logout?client_id={}&response_type={}&redirect_uri={}".format(
provider_obj.client_id,
provider_obj.server_metadata.get('response_type'),
provider_obj.server_metadata.get('logout_redirect_uri')
) )
ret = super().logout()
time.sleep(1)
return redirect("{}{}".format( provider_obj.api_base_url, url ) )
class CustomSsoSecurityManager(SupersetSecurityManager):
# override the logout function
authoauthview = CustomSsoAuthOAuthView
def oauth_user_info(self, provider, response=None):
if provider == 'cognito':
res = self.appbuilder.sm.oauth_remotes[provider].get('oauth2/userInfo')
if res.raw.status != 200:
logger.error('Failed to obtain user info: %s', res.data)
return
me = json.loads(res._content)
logger.debug(" user_data: %s", me)
prefix = 'Superset'
return {
# 'username' : me['username'],
# 'name' : me['name'],
'email' : me['email'],
# 'first_name': me['given_name'],
# 'last_name': me['family_name'],
}
COGNITO_URL = "https://qwertyuiop.auth.eu-west-1.amazoncognito.com/"
CLIENT_ID = "1234abcd"
CLIENT_SECRET = "" # I didn't set a secret here
LOGOUT_REDIRECT_URI = "http://localhost:8088/"
OAUTH_PROVIDERS = [{
'name':'cognito',
'token_key': 'access_token',
'icon':'fa-amazon',
'url': COGNITO_URL,
'remote_app': {
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET,
'request_token_params': {
'scope': 'email openid profile'
},
# 'response_type': 'token',
'response_type': 'code',
'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),
'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),
'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize'),
'access_token_method':'POST',
'request_token_url': None,
'api_base_url': COGNITO_URL,
'logout_url': os.path.join(COGNITO_URL, 'logout'),
'logout_redirect_uri': LOGOUT_REDIRECT_URI
}
}
]
from custom_sso_security_manager import CustomSsoSecurityManager
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManagerI've also tried without the Any help appreciated. |
Beta Was this translation helpful? Give feedback.
-
|
Wait, we need to have a user in Superset that match the username provided by Cognito? But then what's the point of having Cognito User Pool and duplicate the users in Superset? Also how can I create the user in Superset if I cannot connect to Superset (apart from removing the OAUTH and using admin/password)? |
Beta Was this translation helpful? Give feedback.
-
|
I did this about 4 years ago, but I'm pretty sure it's because Cognito is garbage and doesn't provide enough data during the authentication for Superset to know the user pool info, so there's no way for Superset to say "yes this is a valid Superset user" vs "this is someone that authenticated on Cognito but isn't authorized for Superset." You could maybe try setting Superset up to allow new users. I forgot where that's set up. I didn't play with that because I have different classes of users, that have different permissions, so I have to manually add users in both places and grant specific permissions in SS. |
Beta Was this translation helpful? Give feedback.
-
|
OK, I found the missing piece: To automatically create the user. No I need to figure out how permissions work and if we can leverage Cognito/IAM under the hood... |
Beta Was this translation helpful? Give feedback.
-
|
If you edit the custom security class, you can dump the data from cognito to the log and see what info you get. But several years ago, it didn't include anything about user pool |
Beta Was this translation helpful? Give feedback.
-
my code is very similar to yours and I am getting the same exact error but setting thr AUTH_USER_REGISTRATION= True did not work for me, any alternative solutions? |
Beta Was this translation helpful? Give feedback.
-
|
This worked for me on Apache/Superset 3.1.0 official Docker image.
from flask_appbuilder.security.manager import AUTH_OAUTH
from superset.security import SupersetSecurityManager
from flask_appbuilder.security.views import AuthOAuthView
from flask_appbuilder.baseviews import expose
from flask import redirect
import logging
import time
class CustomSsoAuthOAuthView(AuthOAuthView):
@expose("/logout/")
def logout(self, provider="cognito", register=None):
ret = super().logout()
time.sleep(1)
return redirect( 'https://xxx.auth.ap-xxx-1.amazoncognito.com/logout?client_id=xxx&logout_uri=https://<your-domain>/login' )
# Create custom SSO to fetch user detail to Superset
class CustomSsoSecurityManager(SupersetSecurityManager):
authoauthview = CustomSsoAuthOAuthView
def oauth_user_info(self, provider, response=None):
# Logic to fetch user info for provider 'cognito'
if provider == 'cognito':
try:
# Make request using OAuth remote to get user information
res = self.appbuilder.sm.oauth_remotes[provider].get('/oauth2/userInfo')
if res.raw.status != 200:
# Log error if user info was not obtained successfully
logging.error('Failed to obtain user info: %s', res.json())
return
me = res.json() # Parse JSON response containing user details
# Return essential user information for Superset
return {
'username' : me['username'],
'name' : me['username'],
'email' : me['email'],
}
except Exception as e:
# Log general exception if something goes wrong
logging.error("CustomSsoSecurityManager: ",e)
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager # Use our custom security manager
ENABLE_PROXY_FIX=True # Enables support for reverse proxies like Nginx or Apache
AUTH_TYPE = AUTH_OAUTH # Sets authentication type to OAuth
AUTH_USER_REGISTRATION = True # Enables user self-registration, allowing to create Flask users from Authorized User
AUTH_USER_REGISTRATION_ROLE = "Public" # Sets default role for new users
OAUTH_PROVIDERS = [{
'name' :'cognito', # Name of the OAuth provider
'token_key' :'access_token', # Key where the access token is found in the response
'icon' :'fa-address-card', # Font Awesome icon for the provider
'remote_app': {
'client_id' : 'xxx', # Client Id (Identify Superset application)
'client_secret' : 'xxx', # Secret for this Client Id (Identify Superset application)
'server_metadata_url' : 'https://xxx.ap-xxx-1.amazonaws.com/ap-xxx-1_xxx/.well-known/openid-configuration', # Metadata endpoint of the provider
'api_base_url' : 'https://xxx.auth.ap-xxx-1.amazoncognito.com', # Base URL of the provider
'authorize_url' : 'https://xxx.auth.ap-xxx-1.amazoncognito.com/oauth2/authorize', # Authorization URL
'access_token_url' : 'https://xxx.auth.ap-xxx-1.amazoncognito.com/oauth2/token', # Token endpoint
'client_kwargs' : {'scope': 'openid email'}, # Scopes requested from the provider
},
}] |
Beta Was this translation helpful? Give feedback.
-
This took me long enough to figure out that I figure I'll post what I did so other people can use it if needed. The issue revolves around needing to revoke Cognito's token so that someone can sign out of Superset and then sign in as a different user, rather than having to wait for Cognito's token to just expire.
custom_sso_security_manager.py
The problem was that I needed to override the AuthView logout endpoint to force a request to Cognito's logout endpoint. Import this and set up your OAUTH_PROVIDERS in your main config. I used:
And make sure that in Cognito's dashboard on AWS, you set up your App client settings:
Callback and Sign out URLs
Allowes OAuth Flows (code grant and implicit?)
Beta Was this translation helpful? Give feedback.
All reactions