Integrating Keycloak with Superset (v4.1.1) - Issue with OAuth Login

[alisharifi2000]

Bug description

# Integrating Keycloak with Superset (v4.1.1) - Issue with OAuth Login
Hi everyone,
I'm trying to integrate Superset 4.1.1 with Keycloak 26.1.1, both running in Docker.

superset -> localhost:8088
keycloak -> localhost:8080

I've configured Superset with the following security manager in superset_config.py

from superset.security import SupersetSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH

class KeycloakSecurity(SupersetSecurityManager):
    """
    Custom Security Manager for handling Keycloak authentication.
    """
    def __init__(self, appbuilder):
        super().__init__(appbuilder)
        app = self.appbuilder.get_app
        app.config.setdefault("AUTH_ROLES_MAPPING", {})
        app.config.setdefault("AUTH_TYPE", AUTH_OAUTH)

    def oauth_user_info(self, provider, resp=None):
        if provider == "keycloak":
            log.debug("Keycloak response received: %s", resp)
            log.debug("ID Token: %s", resp.get("id_token"))
            me = self.appbuilder.sm.oauth_remotes[provider].get(
                f'http://{keycloak_address}/auth/realms/{keycloak_realm}/protocol/openid-connect/userinfo'
            )
            me.raise_for_status()
            data = me.json()
            log.debug("User info from Keycloak: %s", data)
            return {
                "name": data["name"],
                "email": data["email"],
                "first_name": data["given_name"],
                "last_name": data["family_name"],
                "id": data["preferred_username"],
                "username": data["preferred_username"],
            }

CUSTOM_SECURITY_MANAGER = KeycloakSecurity
AUTH_USER_REGISTRATION = True  # Allow user self-registration
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        "name": "keycloak",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "superset",
            "client_secret": client_secret,
            "client_kwargs": {"scope": "openid email"},
            "api_base_url": f"http://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect",
            "authorize_url": f"http://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/auth",
            "access_token_url": f"http://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/token",
            "jwks_uri": f"http://{keycloak_address}/realms/{keycloak_realm}/protocol/openid-connect/certs",
            "request_token_url": None,
            "access_token_method": "POST",
        }
    }
]

Steps Taken:

1. Created a realm (superset) and client (superset) in Keycloak.
2. Created a user (test) with password (test) in Keycloak.
3. In Superset, clicked "Login with Keycloak" → redirected to Keycloak.
4. Entered username (test) and password (test) → redirected back to the Superset login page instead of being logged in with error The request to sign in was denied.

Issue:
Checking the Superset logs, I found this error:

ERROR: flask_appbuilder.security.views: Error authorizing OAuth access token: 
HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with URL: /realms/superset/protocol/openid-connect/token

Screenshots/recordings

KeyCloak Configuration for my client it named superset
superset run on localhost:8088

superset login page after redirect from keycloak

error in docker logs

Superset version

4.1.1

Python version

3.10

Node version

18 or greater

Browser

Firefox

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

I found a similar discussion titled Integrating Keycloak with Superset (v4.1.1) - Issue with OAuth Login which is currently unsolved ^[1].

To address the issue where you are redirected back to the Superset login page with the error "The request to sign in was denied," consider the following steps:

1. Check Redirect URI: Ensure that the redirect_uri configured in Keycloak matches the one expected by Superset. The redirect_uri should be correctly set in both Keycloak and Superset configurations.

2. Verify OAuth2 Configuration: Make sure that the OAuth2 client configuration in Keycloak is correct, including the client ID, client secret, and allowed redirect URIs.

3. Inspect Browser Console and Network Logs: Check the browser console and network logs for any errors or warnings that might provide more details about the sign-in request denial.

4. Check Superset Logs: Review the Superset logs for any error messages or warnings related to the OAuth2 authentication process. Typical error messages include "OAUTH2_REDIRECT" and "OAUTH2_REDIRECT_ERROR" ^[2].

5. Ensure Correct Permissions: Verify that the user has the necessary permissions in Keycloak to access the application.

6. Cross-Origin Requests: Ensure that cross-origin requests are properly handled and that the event.origin and event.source checks in the handleMessage function are correctly validating the message source.

Additionally, a user shared a working configuration without installing any additional package such as Flask-OIDC. You might want to compare your configuration with the one provided in the discussion to ensure all settings are correctly applied ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[sfirke]

Hello, I'm sorry you are having this trouble but I believe you were right to first open this as a discussion at #32286. It looks like this is a "how do I get this config right" question, not a "I found a bug in the Superset codebase" so I'm going to close this to keep the Superset bug tracker more manageable for devs who are trying to triage bugs.

I hope you find an answer to your discussion - if you do, please post it back there to help others. I'll go post a thought over there.

[a0123055u]

@alisharifi2000 i faced similar issue, was using custom auth for authentication, if you are running the superset as docker, make sure the host.docker.internal is enabled in your local machine using this command "docker run --rm alpine nslookup host.docker.internal", if it recognize host.docker.internal then replace localhost to host.docker.internal.

if the above shows as unknown,

Then switch the localhost to ip of the machine, if using linux can find it using ip route | awk 'NR==1 {print $3}' . Once you replace the localhost to this , it must work. last try if possible make the keyclock host to be 0.0.0.0 to receive request from any host. Good Luck !!