Hello everyone, We are trying to add the OAUTH login using the WSO2 identity server. We have setup the configuration as per the documentation. You can find the OAUTH configuration below.
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Public"
OAUTH_PROVIDERS = [
{ 'name':'wso2',
'token_key':'access_token', # Name of the token in the response of access_token_url
'icon':'fa-address-card', # Icon for the provider
'remote_app': {
'client_id':'clientid', # Client Id (Identify Superset application)
'client_secret':'clientsecret', # Secret for this Client Id (Identify Superset application)
'client_kwargs':{
'scope': 'openid profile email groups', # Scope for the Authorization
},
'access_token_method':'POST', # HTTP Method to call access_token_url
'request_token_url': None,
'grant_type' : 'authorization_code',
'api_base_url':'https://<hostname>/oauth2',
'access_token_url':'https://<hostname>/oauth2/token',
'authorize_url':'https://<hostname>/oauth2/authorize',
'jwks_uri': 'https://<hostname>/oauth2/jwks'
},
}
]
This is the code for our custom security manager
import logging
from superset.security import SupersetSecurityManager
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None):
logging.debug("Oauth2 provider: {0}.".format(provider))
if provider == 'wso2':
# As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication,
# and expects that authorization server checks the token, and response with user details
providerData = self.appbuilder.sm.oauth_remotes[provider].get('userinfo')
me = providerData.data
logging.debug("user_data: {0}".format(me))
return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''}
After successful login, the user is again redirected to the login page, I checked the container logs, We are getting this following error
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response
I am searching for solutions, most of the github issues from other projects, didn't seem to help. Any help would be much appreciated. Thank you.
Comment From: shr3yb
Hey buddy @msp-ampcome were you able to figure out this? In my case, it is working normally but not in an iframe. I am using azure as my OAuth provider,
Comment From: srp-pawar
hey bro, what is the callback url mentioned in WSO2 ????
Comment From: rusackas
@dosu-bot
Comment From: dosubot[bot]
The error you're encountering, "mismatching_state: CSRF Warning! State not equal in request and response," typically indicates a problem with how the state parameter is managed during the OAuth flow. This parameter is crucial for preventing CSRF attacks and ensuring that the response corresponds to the user's request. Here are some steps and considerations to help you troubleshoot and potentially resolve this issue:
-
Ensure Correct State Parameter Handling: Your application should generate a unique state parameter for each login attempt and validate this parameter when receiving the callback from the OAuth provider. It's essential that the state remains unchanged throughout the OAuth flow to prevent CSRF attacks.
-
Verify Redirect URI: Check that the redirect URI (callback URL) specified in your OAuth provider's configuration matches exactly with what you have configured in the WSO2 Identity Server. Even minor discrepancies can cause issues.
-
Session Management in Containerized Environments: If your application runs in a containerized environment (like Docker or Kubernetes), make sure that session information is correctly managed across requests. This might involve configuring a shared resource for session storage to ensure consistency.
-
Cross-Origin Requests and Iframes: If your OAuth flow is initiated from an iframe, ensure that both your application and the OAuth provider properly support cross-origin requests. This includes correctly setting headers for Cross-Origin Resource Sharing (CORS).
-
Review WSO2 Configuration: Double-check the configuration of your WSO2 Identity Server, paying close attention to settings that might affect the handling of the state parameter or redirect URIs. Make sure that WSO2 is correctly managing sessions and state parameters.
-
Enhance Logging: Increase the logging level for both your application and the WSO2 Identity Server. Detailed logs can provide insights into the OAuth flow and help pinpoint where the mismatch or error occurs.
-
OAuth Library Configuration: If you're using a library to facilitate OAuth flows, ensure it's correctly configured to handle the state parameter. Some libraries allow for customization in how the state parameter is managed.
If after following these steps the issue persists, it might be beneficial to reach out to the WSO2 community or their support channels. There could be specific configurations or known issues with your version of the WSO2 Identity Server that they can help address.
#### Details
**About Dosu** This response is meant to be useful and save you time. It is **not meant to be a precise solution**, but rather a starting point for your own research. Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.To continue the conversation, mention @dosu.
Comment From: GspeyanHov
Hello everyone, We are trying to add the OAUTH login using the WSO2 identity server. We have setup the configuration as per the documentation. You can find the OAUTH configuration below.
```
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Public"
OAUTH_PROVIDERS = [ { 'name':'wso2', 'token_key':'access_token', # Name of the token in the response of access_token_url 'icon':'fa-address-card', # Icon for the provider 'remote_app': { 'client_id':'clientid', # Client Id (Identify Superset application) 'client_secret':'clientsecret', # Secret for this Client Id (Identify Superset application) 'client_kwargs':{ 'scope': 'openid profile email groups', # Scope for the Authorization }, 'access_token_method':'POST', # HTTP Method to call access_token_url 'request_token_url': None, 'grant_type' : 'authorization_code', 'api_base_url':'https://
/oauth2', 'access_token_url':'https:// /oauth2/token', 'authorize_url':'https:// /oauth2/authorize', 'jwks_uri': 'https:// /oauth2/jwks' }, } ] ``` This is the code for our custom security manager
``` import logging from superset.security import SupersetSecurityManager
class CustomSsoSecurityManager(SupersetSecurityManager):
def oauth_user_info(self, provider, response=None): logging.debug("Oauth2 provider: {0}.".format(provider)) if provider == 'wso2': # As example, this line request a GET to base_url + '/' + userDetails with Bearer Authentication, # and expects that authorization server checks the token, and response with user details providerData = self.appbuilder.sm.oauth_remotes[provider].get('userinfo') me = providerData.data logging.debug("user_data: {0}".format(me)) return { 'name' : me['name'], 'email' : me['email'], 'id' : me['user_name'], 'username' : me['user_name'], 'first_name':'', 'last_name':''} ```After successful login, the user is again redirected to the login page, I checked the container logs, We are getting this following error
ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and responseI am searching for solutions, most of the github issues from other projects, didn't seem to help. Any help would be much appreciated. Thank you.
Have you found any solution to this problem?
Comment From: devyash786
Hey buddy @msp-ampcome were you able to figure out this? In my case, it is working normally but not in an iframe. I am using azure as my OAuth provider,
@shr3yb Can you share your customssp configure, for me not wokring...
Comment From: rusackas
Closing this as inactive, and because it seems like a config issue rather than a Superset bug. Happy to reopen as a Discussion if anyone's still facing this exact issue.