i have setup superset with oauth in keycloak sso in web is is woking ok using cookies but for superset api we need to use a token superset is a flask based app using configs we setup:
JWT_ALGORITHM = 'RS256'
JWT_PUBLIC_KEY = """
-----BEGIN PUBLIC KEY-----
public_key_was_here
-----END PUBLIC KEY-----
"""
get token using command :
export TOKEN=`curl --request POST "$SSO_URL/auth/realms/$SSO_REALM/protocol/openid-connect/token?redirect_uri=$SUPERSET_URL/oauth-authorized/ozon_sso" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "username=$USERNAME" \
--data-urlencode "password=$PASSWORD" \
--data-urlencode 'scope=email profile roles' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=k8s.superset' \
--data-urlencode "client_secret=$SSO_CLIENT_SECRET" | jq -r .access_token`
and then try to use it on superset:
curl -L --request GET $SUPERSET_URL/api/v1/dashboard/ --header "Authorization: Bearer $TOKEN" > ./dashboard_list.txt
and get a error in applications seems like it unable to decode a token or key is incorrect
2022-12-15 07:24:00,487:ERROR:superset.views.base:invalid literal for int() with base 10: '674792eb-e01e-45b6-ad2e-75979db3d601'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/usr/local/lib/python3.8/site-packages/flask_appbuilder/security/decorators.py", line 94, in wraps
verify_jwt_in_request()
File "/usr/local/lib/python3.8/site-packages/flask_jwt_extended/view_decorators.py", line 83, in verify_jwt_in_request
_request_ctx_stack.top.jwt_user = _load_user(jwt_header, jwt_data)
File "/usr/local/lib/python3.8/site-packages/flask_jwt_extended/view_decorators.py", line 141, in _load_user
user = user_lookup(jwt_header, jwt_data)
File "/usr/local/lib/python3.8/site-packages/flask_jwt_extended/internal_utils.py", line 25, in user_lookup
return jwt_manager._user_lookup_callback(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/flask_appbuilder/security/manager.py", line 2042, in load_user_jwt
user = self.load_user(identity)
File "/usr/local/lib/python3.8/site-packages/flask_appbuilder/security/manager.py", line 2038, in load_user
return self.get_user_by_id(int(pk))
ValueError: invalid literal for int() with base 10: '674792eb-e01e-45b6-ad2e-75979db3d601'
10.220.74.237 - - [15/Dec/2022:07:24:00 +0000] "GET /api/v1/dashboard/ HTTP/1.1" 500 2337 "-" "curl/7.29.0"
and i don't know where to dig
In order to call the SuperSet APIs, you need to create a JWT token signed with the SUPERSET_SECRET_KEY and use it in the Authorization HTTP header.
Unfortunately, you can't ask to SuperSet to generate a token for you using the /api/v1/security/login API because it works only for "db" users, but if OAUTH is enabled then this API is useless.
For example, if your SUPERSET_SECRET_KEY is my_super_secret then you can craft a token like this:
The "sub" claim represents user identifier as stored in the ab_user table. Obviously, you have to change iat and exp claims in order to set valid timestamps.