Bug description

Enable GLOBAL_ASYNC_QUERIES feature and use any embedded dashboard.

Load the page and you will get 401 UNAUTHORIZED response.

WARNING:root:Failed to add user to db session: Class 'werkzeug.local.LocalProxy' is not mapped WARNING:root:Failed to add user to db session: Class 'werkzeug.local.LocalProxy' is not mapped WARNING:superset.common.utils.query_cache_manager:force_cached (QueryContext): value not found for key 68d2a3488fa8bc378f473740ea4157ef WARNING:superset.async_events.async_query_manager:Parse jwt failed Traceback (most recent call last): File "/app/superset/async_events/async_query_manager.py", line 203, in parse_channel_id_from_request return jwt.decode(token, self._jwt_secret, algorithms=["HS256"])["channel"] File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 222, in decode decoded = self.decode_complete( File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 167, in decode_complete self._validate_claims( File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 273, in _validate_claims self._validate_sub(payload, subject) File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 300, in _validate_sub raise InvalidSubjectError("Subject must be a string") jwt.exceptions.InvalidSubjectError: Subject must be a string

The root cause is that sub claim is not set on async_access cookie token register_request_handlers:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoiZjc4OTk5ZTUtMjZjYi00ODg5LTgzZDQtMWEyZTE2NGIzNzM2Iiwic3ViIjpudWxsfQ.jWwEk5mHJjUHvCBKKcKayjIF9LNgkVYYxZ_HPenUhBo

There fore parse_channel_id_from_request throws jwt.exceptions.InvalidSubjectError: Subject must be a string

Embbeded dashboards work when using force reload with GAQ enabled. Also works with GAQ disabled.

Screenshots/recordings

No response

Superset version

master Using superset 5.0

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hi @adomass! I'm Dosu and I’m helping the superset team.

This is a confirmed bug: embedded dashboards with GLOBAL_ASYNC_QUERIES enabled in Superset 5.0 result in 401 errors because the async_access JWT cookie's 'sub' claim is set to null for guest/embedded users, which breaks JWT decoding and authentication. The code sets 'sub' using get_user_id(), but for guest users (like those accessing embedded dashboards), this returns None, causing the error you described. There is no fallback or workaround in the code for this scenario, and the bug persists in the latest Superset versions as of August 2025 [code reference].

Multiple issues and discussions track this problem, for example: #31492, #33561, #34337, and #32219. The feature is still considered experimental/beta and not recommended for production use [PR #30770].

Workarounds reported by the community: disable GLOBAL_ASYNC_QUERIES for embedded dashboards, require users to manually refresh the dashboard after load, and ensure embedded dashboards are served from the same root domain as Superset (cross-domain embedding can cause async features to fail) [#33561]. For cloud/Kubernetes setups, leave SERVER_NAME unset unless you have a static hostname, and set ENABLE_PROXY_FIX, PREFERRED_URL_SCHEME, and SESSION_COOKIE_SECURE as needed [discussion].

There is no official fix yet; keep an eye on the linked issues for updates. This is an architectural gap, not a misconfiguration.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: rusackas

I think the @dosu is 100% spot on it its assessment here. We're very open to PRs here to address issues in this feature, as we still HOPE to make it more stable and ready for prime-time, but for now, we're hoping for volunteer support, but may eventually close issues like this as "not-planned" otherwise.

Comment From: dosubot[bot]

Thanks for confirming! For anyone interested in contributing a fix or improvement to the GLOBAL_ASYNC_QUERIES/embedded dashboard issue, I can help surface relevant code references, recent PRs, and technical details about the async_access JWT handling and guest token logic. The main gap is how the 'sub' claim is set for guest/embedded users, which currently leads to JWT decode failures and 401 errors when GAQ is enabled see code reference.

If anyone wants guidance on where to start in the codebase, implementation details, or links to related issues and discussions, just let me know!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: adomass

I still dont understand how embedded dashboards might have worked with guest user and async global feature. Other issues registered are not related directly to this case.