I asked sometime ago some questions about setting up OAuth2.0 integration for Trino with Okta in Superset, following the guidance from this PR (https://github.com/apache/superset/pull/30081). We have got past the username part and now superset recognizes email as username. I am having trouble now setting up the database connection. It keeps throwing unauthorized error. My current setup looks like this:

trino_oauth DATABASE_OAUTH2_REDIRECT_URI = "http://localhost:8088/api/v1/database/oauth2/" DATABASE_OAUTH2_JWT_ALGORITHM = "RS256" DATABASE_OAUTH2_CLIENTS = { 'HSH Trino Oauth': { 'id': '', 'secret': '', 'scope': 'openid email offline_access roles profile', 'redirect_uri': 'http://localhost:8088/api/v1/database/oauth2/', 'authorization_request_uri': 'https://example.okta.com/oauth2/v1/authorize', 'token_request_uri': 'https://example.okta.com/oauth2/v1/token' 'request_content_type': 'json' } }

{"connect_args":{"http_scheme":"https"}}

Impersonate: true is in place as well and UI shows the correct configs. Any guidance or insights on further troubleshooting would be greatly appreciated!

The redirect uri gives 500 error. So not sure what should be changed in that case.

Thank you!

Comment From: dosubot[bot]

I found some relevant information that might help you troubleshoot the issues you're facing with the OAuth2.0 integration for Trino with Okta in Superset.

  1. 401 Unauthorized Error:
  2. Ensure that the user attempting to connect has the necessary permissions in Trino. This includes verifying that the roles and permissions in Okta are correctly configured to allow access.
  3. Double-check the client ID and secret to ensure they are correct and valid.

  4. Verify that all required scopes are included in your configuration. The scopes you've listed (openid email offline_access roles profile) seem appropriate, but ensure they match what is required by your Okta setup.

  5. 500 Error at Redirect URI:

  6. Common causes for a 500 error at the DATABASE_OAUTH2_REDIRECT_URI endpoint include missing OAuth2 configuration, improper state handling, or a misconfigured redirect URI. Ensure that the DATABASE_OAUTH2_REDIRECT_URI is correctly registered with Okta and that the state is correctly handled by Superset [1].

  7. Check if the OAuth2 configuration is correctly set up in Superset. If the configuration is missing or incorrect, it could lead to a 500 error [1].

  8. Impersonation:

  9. Ensure that the impersonate_user flag is set to True and that the user has the necessary permissions in Trino. If impersonation is not correctly configured, it may lead to authentication errors [2].

If these steps do not resolve the issue, you may need to further investigate the specific configuration and environment.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

Comment From: rusackas

Maybe @villebro or @nytai or @betodealmeida can provide a pointer here. I'm not sure if this represents a bug, or if this should be converted to a Q&A Discussion for further troubleshooting, but you can also ask on Slack if you haven't already.