Keycloak to superset Redirecting

[ChiragsinhCW]

I have my own user management i want to configure keycloak for authentication and redirect to superset dashboard
can we user keycloak token to redirect in superset if yes than how can we do this

[dosubot[bot]]

Yes, you can use a Keycloak token to handle the redirection to the Superset dashboard. Here’s how you can achieve this:

1. Authenticate with Keycloak and obtain a token.
2. Use the Keycloak token to request a Guest Token from Superset.
3. Pass the Guest Token to the frontend to embed the Superset dashboard.

Step-by-Step Implementation

1. Authenticate with Keycloak and obtain a token:
   This step involves authenticating your user with Keycloak and obtaining an access token using Keycloak's authentication API.

2. Request a Guest Token from Superset:
   Use the Keycloak token to authenticate your backend request to Superset's /security/guest_token endpoint. Here is an example of how you might do this in your backend:

   const fetch = require('node-fetch');
   
   async function fetchGuestTokenFromBackend(keycloakToken) {
     const response = await fetch('https://superset.example.com/api/v1/security/guest_token', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
         'Authorization': `Bearer ${keycloakToken}`
       },
       body: JSON.stringify({
         user: {
           username: "stan_lee",
           first_name: "Stan",
           last_name: "Lee"
         },
         resources: [{
           type: "dashboard",
           id: "abc123"
         }],
         rls: [
           { clause: "publisher = 'Nintendo'" }
         ]
       })
     });
   
     const data = await response.json();
     return data.token;
   }

3. Embed the Superset dashboard using the Guest Token:
   Pass the Guest Token obtained from the backend to the frontend and use it to embed the Superset dashboard.

   import { embedDashboard } from "@superset-ui/embedded-sdk";
   
   async function embedSupersetDashboard() {
     const keycloakToken = 'your-keycloak-token'; // Obtain this from Keycloak authentication
     const guestToken = await fetchGuestTokenFromBackend(keycloakToken);
   
     embedDashboard({
       id: "abc123", // given by the Superset embedding UI
       supersetDomain: "https://superset.example.com",
       mountPoint: document.getElementById("my-superset-container"), // any html element that can contain an iframe
       fetchGuestToken: () => Promise.resolve(guestToken),
       dashboardUiConfig: {
         hideTitle: true,
         filters: {
           expanded: true,
         },
         urlParams: {
           foo: 'value1',
           bar: 'value2',
         }
       },
     });
   }
   
   embedSupersetDashboard();

Additionally, you can configure Superset to support OAuth2 tokens for database authentication by setting up the DATABASE_OAUTH2_CLIENTS configuration in superset/config.py. This allows Superset to handle OAuth2 tokens, including those from Keycloak, for database connections.

DATABASE_OAUTH2_CLIENTS: dict[str, dict[str, Any]] = {
    # Example configuration for Google Sheets
    # "Google Sheets": {
    #     "id": "XXX.apps.googleusercontent.com",
    #     "secret": "GOCSPX-YYY",
    #     "scope": " ".join(
    #         [
    #             "https://www.googleapis.com/auth/drive.readonly",
    #             "https://www.googleapis.com/auth/spreadsheets",
    #             "https://spreadsheets.google.com/feeds",
    #         ]
    #     ),
    #     "authorization_request_uri": "https://accounts.google.com/o/oauth2/v2/auth",
    #     "token_request_uri": "https://oauth2.googleapis.com/token",
    # },
}
DATABASE_OAUTH2_JWT_ALGORITHM = "HS256"
DATABASE_OAUTH2_TIMEOUT = timedelta(seconds=30)

By following these steps and configurations, you can use a Keycloak token to handle the redirection to the Superset dashboard ^[1][2][3].

To continue talking to Dosu, mention @dosu.

[ChiragsinhCW]

i dont want embed superset i want to redirect in standard superset

[dosubot[bot]]

To redirect to the standard Superset interface using Keycloak for authentication, you can configure Superset to use Keycloak as an OpenID Connect (OIDC) provider. Here’s a step-by-step guide:

1. Install Flask-OIDC:
   Ensure you have flask-oidc installed in your Superset environment.

   pip install flask-oidc

2. Create a Custom Security Manager:
   Create a custom security manager to handle OIDC authentication. Save this as keycloak_security_manager.py in your Superset directory.

   from flask_appbuilder.security.manager import AUTH_OID
   from superset.security import SupersetSecurityManager
   from flask_oidc import OpenIDConnect
   from flask_appbuilder.security.views import AuthOIDView
   from flask_login import login_user
   from urllib.parse import quote
   from flask_appbuilder.views import ModelView, SimpleFormView, expose
   import logging
   
   class OIDCSecurityManager(SupersetSecurityManager):
   
       def __init__(self, appbuilder):
           super(OIDCSecurityManager, self).__init__(appbuilder)
           if self.auth_type == AUTH_OID:
               self.oid = OpenIDConnect(self.appbuilder.get_app)
           self.authoidview = AuthOIDCView
   
   class AuthOIDCView(AuthOIDView):
   
       @expose('/login/', methods=['GET', 'POST'])
       def login(self, flag=True):
           sm = self.appbuilder.sm
           oidc = sm.oid
   
           @self.appbuilder.sm.oid.require_login
           def handle_login():
               user = sm.auth_user_oid(oidc.user_getfield('email'))
   
               if user is None:
                   info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
                   user = sm.add_user(info.get('preferred_username'), info.get('given_name'), info.get('family_name'),
                                      info.get('email'), sm.find_role('Gamma'))
   
               login_user(user, remember=False)
               return redirect(self.appbuilder.get_url_for_index)
   
           return handle_login()
   
       @expose('/logout/', methods=['GET', 'POST'])
       def logout(self):
           oidc = self.appbuilder.sm.oid
   
           oidc.logout()
           super(AuthOIDCView, self).logout()
           redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login
   
           return redirect(
               oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))

3. Create Keycloak Client Configuration:
   Create a client_secret.json file with your Keycloak client configuration.

   {
       "web": {
           "issuer": "http://keycloakdomain/auth/realms/<realmName>",
           "auth_uri": "http://keycloakdomain/auth/realms/<realmName>/protocol/openid-connect/auth",
           "client_id": "<ClientID>",
           "client_secret": "<Client Secret>",
           "redirect_uris": [
               "http://domainApp/*"
           ],
           "userinfo_uri": "http://keycloakdomain/auth/realms/<realmName>/protocol/openid-connect/userinfo",
           "token_uri": "http://keycloakdomain/auth/realms/<realmName>/protocol/openid-connect/token",
           "token_introspection_uri": "http://keycloakdomain/auth/realms/<realmName>/protocol/openid-connect/token/introspect"
       }
   }

4. Update Superset Configuration:
   Update your superset_config.py to use the custom security manager and OIDC settings.

   from keycloak_security_manager import OIDCSecurityManager
   from flask_appbuilder.security.manager import AUTH_OID
   import os
   
   AUTH_TYPE = AUTH_OID
   SECRET_KEY = 'SomethingNotEntirelySecret'
   OIDC_CLIENT_SECRETS = os.path.abspath(os.getcwd()) + '/path/to/client_secret.json'
   OIDC_ID_TOKEN_COOKIE_SECURE = False
   OIDC_REQUIRE_VERIFIED_EMAIL = False
   OIDC_OPENID_REALM = 'realm1'
   OIDC_INTROSPECTION_AUTH_METHOD = 'client_secret_post'
   CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
   AUTH_USER_REGISTRATION = True
   AUTH_USER_REGISTRATION_ROLE = 'Gamma'

By following these steps, you can configure Superset to use Keycloak for authentication and redirect users to the standard Superset interface upon successful login ^[1].

To continue talking to Dosu, mention @dosu.