Apache Superset Issue in Single sign on process with Superset and React Applications

Bug description

Hi, I am facing issue in embedding superset dashboard in react application with different approach

When embedding an Apache Superset dashboard into a React application with Keycloak as the IAM tool for authentication and authorization, I encountered issues with obtaining a response from the Superset API for guest access, which is intended to allow dashboard access for users with specific roles and permissions.

In this setup, after retrieving an access token from Keycloak to request guest access for the dashboard, the API responds with the error "the specified alg value is not allowed" with status code 422(unprocessed entity). Interestingly, when I log in to Superset locally, the guest token is initially granted, but after a short period, the same error reoccurs, and Superset automatically logs out without any further interaction. This issue seems specific to the single sign-on (SSO) process.

After I have checked the logs for both Superset application and keycloak. The screenshots are attached below 1) GET /api/v1/me/ HTTP/1.1" 401 (unauthorised) - This is exactly happens in superset when i login through react to embed dashboard after superset page will redirect to login page without any interaction parellely react application will get the guest token response to embed dashboard successfully but again refreshing this error happens again.

Screenshots/recordings

Screenshot 2024-11-14 154604

guest_Token_issue Superset_config_guest_access

Superset version

master / latest-dev

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

My Approach:

1) Access Token from Keycloak 2) CSRF Token from superset api response 3) guest token from superset api response

For the Above approach, The first two process will be successfully but the guest token response to get from the superset by giving neccessary parameters such as access token get from keycloak and csrf token while doing this process the error will raised.

JWT Algorithms: 1) Keycloak - RS256 2) Superset - HS256

Even i set the same algorithm for both superset and keycloak. Superset raises two issues, 1) Invalid JSON web key 2) Signature not verified - This happens when i set the HS256 for common in both because Keycloak verified signature algo will be RS256

Anyone can you help me to solve this issue?

Checklist

[X] I have searched Superset docs and Slack and didn't find a solution to my problem.
[X] I have searched the GitHub issue tracker and didn't find a similar bug report.
[X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hey @Nandhan007! I'm here to help you with the issue you're facing. Let's work together to solve this!

I found a similar discussion regarding changing the default JWT token algorithm in Superset from HS256 to RS256, which might be relevant to your issue. You can check it out here ^[1].

In your case, the error "the specified alg value is not allowed" suggests a mismatch in the JWT algorithm configuration between Superset and Keycloak. Superset's default JWT algorithm is HS256, while Keycloak uses RS256. To resolve this, you need to ensure that both systems are configured to use compatible algorithms.

Here are some steps you can take to address the issue:

Configure Superset to Use RS256: Update your Superset configuration to use RS256 for JWT tokens. You can do this by setting the GUEST_TOKEN_JWT_ALGO to "RS256" in your superset_config.py:

python GUEST_TOKEN_JWT_ALGO = "RS256"

Provide the Public Key for RS256: Since RS256 is an asymmetric algorithm, you need to provide the public key from Keycloak to Superset for token verification. Ensure that the public key is correctly configured in Superset.
Check Keycloak Configuration: Verify that Keycloak is set up to issue tokens with the RS256 algorithm and that the public key is accessible to Superset.
Review Superset Logs: Check the Superset logs for any additional error messages that might provide more context on the issue.
Ensure Consistent Token Handling: Make sure that the tokens are being handled consistently across your application, especially when dealing with SSO and guest access.

By aligning the JWT algorithm settings and ensuring that the necessary keys are correctly configured, you should be able to resolve the algorithm mismatch issue.

To continue talking to Dosu, mention @dosu.

Comment From: Nandhan007

I have tried the above process but the same issue happened while try to get guest token it will show (403)Forbidden response for guest token API and another problem which I am facing even I am proceed with single sign on process but again I will go to superset login page and manually login it then it works fine with HS256 algorithm not for RS256 algorithm

This is the scenario where the feature works correctly for React and Superset initially, but after a refresh from React, it results in a 401 error in superset.

Comment From: andy-haynes

The JWT decryption algorithms are hardcoded to HS256 here:

            return jwt.decode(token, self._jwt_secret, algorithms=["HS256"])["channel"]

Could the issue be that this should be using app configuration? @dosu

Comment From: dosubot[bot]

The issue you're encountering with the JWT algorithm being hardcoded to HS256 in the Superset codebase could indeed be causing the problem when trying to use RS256. To address this, you would need to modify the code to allow for configuration-based algorithm selection.

Currently, the JWT algorithm is configured in the superset-websocket/config.example.json file under the jwtAlgorithms key, which defaults to ["HS256"]. To use RS256, you should modify this configuration to include "RS256" in the jwtAlgorithms array:

"jwtAlgorithms": ["RS256"]

However, since the algorithm is hardcoded in the async_query_manager.py file, you would need to update the code to use the configuration setting instead of the hardcoded value. This would involve changing the line:

return jwt.decode(token, self._jwt_secret, algorithms=["HS256"])["channel"]

to something that retrieves the algorithm from the configuration, such as:

return jwt.decode(token, self._jwt_secret, algorithms=self._jwt_algorithms)["channel"]

Ensure that self._jwt_algorithms is properly initialized from the configuration file.

Additionally, make sure that the public key for RS256 is correctly configured in Superset for token verification, as RS256 requires a public key for verification. This setup is crucial for the tokens to be processed correctly.

If you continue to face a 403 Forbidden response, ensure that the user has the necessary permissions, specifically the can_grant_guest_token permission, to obtain a guest token ^[1]^[2]^[3].

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

Comment From: rusackas

Is this still an issue? It seems like an implementation/config/security manager issue more than a core Superset bug. Happy to move it to a Discussion if you're still facing a problem here and are seeking help.