Apache Superset OAuth login not taking into account 'superset_app_root'

Bug description

In file "superset/superset-frontend/src/pages/Login/index.tsx", line 147 (when oauth authentication is used), the 'href' is set this way : href={/login/${provider.name}} The superset application root is not used, meaning that the link is broken if SUPERSET_APP_ROOT is set.

This feature was working when using docker image generated by commit 'e2a22d48'.

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.11

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

You're correct—the OAuth login links in the Login page are currently generated as /login/${provider.name} and do not include the SUPERSET_APP_ROOT prefix, which breaks the links when Superset is deployed under a subpath. This is a known gap: the frontend has a utility function, ensureAppRoot, specifically designed to prepend the application root to URLs, but it's not used for these OAuth login links yet. This pattern is already used elsewhere in the codebase for correct routing with SUPERSET_APP_ROOT set (see code, ensureAppRoot utility).

There are several open issues and discussions about incomplete handling of SUPERSET_APP_ROOT in the frontend, and it's still considered BETA with known limitations—some links and endpoints remain hardcoded and don't respect the app root, including OAuth login links (discussion, issue). A recent PR improved login redirect handling to include the app root in some places, but it doesn't fix the OAuth login button hrefs on the Login page (PR #34395).

The recommended pattern is to use ensureAppRoot(/login/${provider.name}) when generating these links. Until this is adopted in the Login page, OAuth login links will remain broken under a non-root app deployment.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

Comment From: msyavuz

Good catch, fix for this seems relatively simple. Would you like to open a pr changing the code in Login to use ensureAppRoot?