Apache Superset Connection aborted when retrieving OAuth access token

Bug description

Superset version 4.1.1 installed on Kubernetes via Helm. Nginx + AWS ALB.

Access to Superset via Keycloak. Below is my configuration:

class CustomAuthOAuthView(AuthOAuthView): 
    @expose('/logout/') 
    def logout(self): 
        logout_user() 
        session.clear() 
        return redirect(self.appbuilder.get_url_for_index)

class KeycloakSecurityManager(SupersetSecurityManager): 
    def __init__(self, appbuilder): 
        super().__init__(appbuilder) 

    def oauth_user_info(self, provider, response=None): 
        me = self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo") 
        me.raise_for_status() 
        data = me.json() 
        logging.debug("User info from Keycloak: %s", data) 
        return { 
            "username": data.get("preferred_username", ""), 
            "first_name": data.get("given_name", ""), 
            "last_name": data.get("family_name", ""), 
            "email": data.get("email", ""), 
            "role_keys": data.get("resource_access", {}).get("${OIDC_CLIENT}", {}).get("roles", []), 
        } 

    authoauthview = CustomAuthOAuthView


ENABLE_PROXY_FIX = True

AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"
OAUTH_PROVIDERS = [
    {
        "name": "keycloak",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "${CLIENT_ID}",
            "client_secret": "${CLIENT_SECRET}",
            "client_kwargs": {
                "scope": "openid profile email",
            },
            "api_base_url": "https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect",
            "authorize_url": "https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
            "access_token_url": "https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
            "jwks_uri": "https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
            "userinfo_url": "https://${KEYCLOAK_DOMAIN}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
            "client_kwargs": {
                "scope": "openid profile email"
            },
            "authorize_params": {
                "redirect_uri": "https://${SUPERSET_DOMAIN}/oauth-authorized/keycloak"
            },
            "access_token_params": {
                "redirect_uri": "https://${SUPERSET_DOMAIN}/oauth-authorized/keycloak"
            }
        },
    }
]

AUTH_ROLES_SYNC_AT_LOGIN = True
CUSTOM_SECURITY_MANAGER = KeycloakSecurityManager

My problem is the user gets an error on first login attempt. The UI states The request to sign in was denied.

Logs:

2025-07-14 15:21:38,103:DEBUG:flask_appbuilder.security.views:Provider: keycloak
2025-07-14 15:21:38,104:DEBUG:flask_appbuilder.security.views:Going to call authorize for: keycloak
20.10.253.173 - - [14/Jul/2025:15:21:38 +0000] "GET /login/keycloak?next= HTTP/1.1" 302 953 "https://<SUPERSET_DOMAIN>/login/"
2025-07-14 15:21:38,241:DEBUG:flask_appbuilder.security.views:Authorized init
2025-07-14 15:21:38,243:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:21:38,279:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "POST /auth/realms/<MY_REALM>/protocol/openid-connect/token HTTP/1.1" 200 4282
2025-07-14 15:21:38,282:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:21:43,296:ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
20.10.253.173 - - [14/Jul/2025:15:21:43 +0000] "GET /oauth-authorized/keycloak?state=<STATE>&session_state=<SESSION_STATE>&iss=https%3A%2F%2F<KEYCLOAK_DOMAIN>%2Fauth%2Frealms%2F<KEYCLOAK_REALM>&code=<CODE> HTTP/1.1" 302 201
2025-07-14 15:21:43,338:DEBUG:flask_appbuilder.security.views:Provider: None

Retrying immediately, after a couple of attempts, user info are returned correctly and login is successfull. Logs:

2025-07-14 15:23:51,413:DEBUG:flask_appbuilder.security.views:Provider: keycloak
2025-07-14 15:23:51,413:DEBUG:flask_appbuilder.security.views:Going to call authorize for: keycloak
20.10.253.173 - - [14/Jul/2025:15:23:51 +0000] "GET /login/keycloak?next= HTTP/1.1" 302 953 "https://<SUPERSET_DOMAIN>/login/" 
2025-07-14 15:23:51,597:DEBUG:flask_appbuilder.security.views:Authorized init
2025-07-14 15:23:51,598:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:23:51,672:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "POST /auth/realms/<MY_REALM>/protocol/openid-connect/token HTTP/1.1" 200 4282
2025-07-14 15:23:51,674:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:23:51,701:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "GET /auth/realms/<MY_REALM>/protocol/openid-connect/certs HTTP/1.1" 200 2933
2025-07-14 15:23:51,703:DEBUG:flask_appbuilder.security.views:OAUTH Authorized resp: {'access_token': '<TOKEN>', 'expires_in': 300, 'refresh_expires_in': 16865, 'refresh_token': 'REFRESH_TOKEN>', 'token_type': 'Bearer', 'id_token': '<ID_TOKEN>', 'not-before-policy': 0, 'session_state': '<STATE>', 'scope': 'openid email profile', 'expires_at': 1752506931, 'userinfo': {'exp': 1752506931, 'iat': 1752506631, 'auth_time': 1752480296, 'jti': '<JTI>', 'iss': 'https://<KEYCLOAK_DOMAIN>/auth/realms/<MY_REALM>', 'aud': 'superset', 'sub': '<SUB>', 'typ': 'ID', 'azp': 'superset', 'nonce': '<NONCE>', 'sid': '<SID>', 'at_hash': '<HASH>', 'acr': '0', 'email_verified': True, 'name': '<NAME>', 'preferred_username': '<USERNAME>', 'given_name': '<NAME>', 'family_name': '<SURNAME>', 'email': '<EMAIL>'}}
2025-07-14 15:23:51,704:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): <KEYCLOAK_DOMAIN>:443
2025-07-14 15:23:51,760:DEBUG:urllib3.connectionpool:https://<KEYCLOAK_DOMAIN>:443 "GET /auth/realms/<MY_REALM>/protocol/openid-connect/userinfo HTTP/1.1" 200 668
2025-07-14 15:23:51,761:DEBUG:flask_appbuilder.security.views:User info retrieved from keycloak: {'username': '<USERNAME>', 'first_name': '<NAME>', 'last_name': '<LASTNAME>', 'email': '<EMAIL>', 'role_keys': ['admin']}
2025-07-14 15:23:51,761:DEBUG:flask_appbuilder.security.views:No whitelist for OAuth provider
2025-07-14 15:23:51,776:DEBUG:flask_appbuilder.security.manager:Calculated new roles for user='<USERNAME>' as: [Admin]
2025-07-14 15:23:51,783:INFO:flask_appbuilder.security.sqla.manager:Updated user <USER>
````

I tried to add:

PROXY_FIX_CONFIG = { "x_proto": 1, "x_host": 1, "x_prefix": 1, } PREFERRED_URL_SCHEME = "https" SESSION_COOKIE_SECURE = True ``` but the problem persists.

Has anyone encountered this type of problem before?

Screenshots/recordings

No response

Superset version

4.1.1

Python version

3.9

Node version

Browser

Chrome

Additional context

No response

Checklist

[x] I have searched Superset docs and Slack and didn't find a solution to my problem.
[x] I have searched the GitHub issue tracker and didn't find a similar bug report.
[x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hi @marcocharlie! I'm Dosu and I’m helping the superset team.

This kind of intermittent "Connection aborted" error during OAuth with Keycloak is not unique, especially in setups involving Kubernetes, Nginx, and AWS ALB. Based on Superset's code and similar reports, this usually points to network instability or proxy/load balancer configuration rather than a Superset or Flask AppBuilder bug. Superset does not retry failed OAuth HTTP requests, so any transient network hiccup between Superset and Keycloak (or an intermediary like Nginx/ALB) will cause the error you see, but a retry often works.

A few things to check and try:

Make sure your ALB, Nginx, and Kubernetes timeouts are all higher than Superset's SUPERSET_WEBSERVER_TIMEOUT (default is 60s). If the proxy or ALB closes connections early, you'll see these errors. See the config note here.
For proxy headers, try setting PROXY_FIX_CONFIG = {"x_proto": 1, "x_host": 1, "x_prefix": 1, "x_port": 0}. The "x_port": 0 is important if you have SSL termination at the load balancer or proxy, as it prevents port mismatches in the OAuth flow reference.
If possible, test with an NGINX ingress controller instead of AWS ALB. Some users have found that switching to NGINX ingress resolves similar intermittent issues with redirects and OAuth reference.
Double-check that all your redirect_uri values in both Superset and Keycloak exactly match, including protocol and port.
If you have cross-domain or HTTPS, set SESSION_COOKIE_SECURE = True and consider SESSION_COOKIE_SAMESITE = "None" if you see cookie/session issues.
If the problem persists, try to capture network traces or increase logging on both Superset and Keycloak to see if the disconnect is happening at the proxy, ALB, or Keycloak itself.

There are no recent code changes or open issues in Superset that directly address this specific error. The pattern and code suggest it's almost always a network or proxy config issue in these environments.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}