Issue in Single sign on process with Superset and React Applications

[Nandhan007]

Bug description

Hi,
I am facing issue in embedding superset dashboard in react application with different approach

When embedding an Apache Superset dashboard into a React application with Keycloak as the IAM tool for authentication and authorization, I encountered issues with obtaining a response from the Superset API for guest access, which is intended to allow dashboard access for users with specific roles and permissions.

In this setup, after retrieving an access token from Keycloak to request guest access for the dashboard, the API responds with the error "the specified alg value is not allowed" with status code 422(unprocessed entity). Interestingly, when I log in to Superset locally, the guest token is initially granted, but after a short period, the same error reoccurs, and Superset automatically logs out without any further interaction. This issue seems specific to the single sign-on (SSO) process.

After I have checked the logs for both Superset application and keycloak. The screenshots are attached below

1. GET /api/v1/me/ HTTP/1.1" 401 (unauthorised) - This is exactly happens in superset when i login through react to embed dashboard after superset page will redirect to login page without any interaction parellely react application will get the guest token response to embed dashboard successfully but again refreshing this error happens again.

Screenshots/recordings

Superset version

master / latest-dev

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

My Approach:

1. Access Token from Keycloak
2. CSRF Token from superset api response
3. guest token from superset api response

For the Above approach, The first two process will be successfully but the guest token response to get from the superset by giving neccessary parameters such as access token get from keycloak and csrf token while doing this process the error will raised.

JWT Algorithms:

1. Keycloak - RS256
2. Superset - HS256

Even i set the same algorithm for both superset and keycloak. Superset raises two issues,

1. Invalid JSON web key
2. Signature not verified - This happens when i set the HS256 for common in both because Keycloak verified signature algo will be RS256

Anyone can you help me to solve this issue?

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey @Nandhan007! I'm here to help you with the issue you're facing. Let's work together to solve this!

I found a similar discussion regarding changing the default JWT token algorithm in Superset from HS256 to RS256, which might be relevant to your issue. You can check it out here ^[1].

In your case, the error "the specified alg value is not allowed" suggests a mismatch in the JWT algorithm configuration between Superset and Keycloak. Superset's default JWT algorithm is HS256, while Keycloak uses RS256. To resolve this, you need to ensure that both systems are configured to use compatible algorithms.

Here are some steps you can take to address the issue:

1. Configure Superset to Use RS256: Update your Superset configuration to use RS256 for JWT tokens. You can do this by setting the GUEST_TOKEN_JWT_ALGO to "RS256" in your superset_config.py:

   GUEST_TOKEN_JWT_ALGO = "RS256"

2. Provide the Public Key for RS256: Since RS256 is an asymmetric algorithm, you need to provide the public key from Keycloak to Superset for token verification. Ensure that the public key is correctly configured in Superset.

3. Check Keycloak Configuration: Verify that Keycloak is set up to issue tokens with the RS256 algorithm and that the public key is accessible to Superset.

4. Review Superset Logs: Check the Superset logs for any additional error messages that might provide more context on the issue.

5. Ensure Consistent Token Handling: Make sure that the tokens are being handled consistently across your application, especially when dealing with SSO and guest access.

By aligning the JWT algorithm settings and ensuring that the necessary keys are correctly configured, you should be able to resolve the algorithm mismatch issue.

To continue talking to Dosu, mention @dosu.

[Nandhan007]

I have tried the above process but the same issue happened while try to get guest token it will show (403)Forbidden response for guest token API and another problem which I am facing even I am proceed with single sign on process but again I will go to superset login page and manually login it then it works fine with HS256 algorithm not for RS256 algorithm

This is the scenario where the feature works correctly for React and Superset initially, but after a refresh from React, it results in a 401 error in superset.