Azure OAuth SSO integration breaks when upgrading from 3.0.1 -> 3.0.2rc1

[sfirke]

My Azure SSO works with 3.0.1. In testing 3.02rc1 with the same config, I'm unable to login. The Web UI says " Invalid login. Please try again." Application logs show the error:

ERROR:flask_appbuilder.security.views:Error returning OAuth user info: 'email'

As it seems to be caused by a PR in 3.0.2, could be this one that bumped the Flask App Builder version?

This pending issue might be good to tackle at the same time: #24852

How to reproduce the bug

1. Configure Azure SSO successfully with versions 2.0.0-3.0.1, following the FAB Security guidelines.
2. Upgrade to 3.0.2.
3. Try to log in.

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

[michael-s-molina]

@dpgaspar Could you check and see if this problem is related to the FAB bump? I'll wait for your investigation to submit a new RC for 3.0.2 as this problem might impact many users using Azure.

[sfirke]

I'm happy to hop on a screenshare to poke at the Azure config + logs if helpful.

[dpgaspar]

This is probably caused by this change on FAB: dpgaspar/Flask-AppBuilder#2121

I don't think that the previous user information extraction from Azure's OAuth id_token was correct, since upn is not a listed field on https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

This change should actually fix: #24852, and other reported issues on FAB itself.

this has been a long standing issue, most users were actually overriding the security manager and replacing upn by email or explicitly including upn on the id_token on Azure. Having said that, this could be a breaking change, let's sync