Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

experimental OAuth data source implementation #59

Open
wants to merge 2 commits into
base: gsheets_oauth
Choose a base branch
from
Open

experimental OAuth data source implementation #59

wants to merge 2 commits into from

Conversation

dobrych
Copy link

@dobrych dobrych commented Nov 22, 2022
edited
Loading

SUMMARY

In this example custom PostgreSQL DB driver tries to reuse existing OAuth session that current user logged in to authenticate DB connection.

TESTING INSTRUCTIONS

To test it, we need to add custom OAuth security manager into Python path

import logging
from superset.security import SupersetSecurityManager


log = logging.getLogger(__name__)

class TIPSsoSecurityManager(SupersetSecurityManager):

    def oauth_user_info(self, provider, response=None):
        if provider == 'TIP':
            userinfo = self.appbuilder.sm.oauth_remotes[provider].get('openid/userinfo').json()
            token = self.appbuilder.sm.oauth_remotes[provider].token
            me = self.appbuilder.sm.oauth_remotes[provider].get(f'api/v1/accounts/{userinfo["sub"]}').json()
            log.info("[TIP SSO] user_data: {0}".format(me.keys()))
            log.debug("[TIP SSO] access token: {0}".format(token.get('access_token')))
            return { 'email' : me['emailAddress'], 'first_name': me['name']['first'], 'last_name':me['name']['last'] }

Superset configuration changes to use it:

from flask_appbuilder.security.manager import AUTH_OAUTH
from tip_security_manager import TIPSsoSecurityManager

AUTH_ROLE_PUBLIC = 'Public'
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_TYPE = AUTH_OAUTH

OAUTH_BASE_ENDPOINT = os.environ.get('SUPERSET_OAUTH_BASE_URL', 'https://iam-service.trial.platform.intertrust.com')

OAUTH_PROVIDERS = [
  {   'name':'TIP',
      'token_key':os.environ.get('SUPERSET_OAUTH_TOKEN', 'id_token'), # Name of the token in the response of access_token_url
      'icon':'fa-address-card',   # Icon for the provider
      'remote_app': {
          'client_id':'8390d3ef-c280-4c59-baac-28843949c9e0',  # Client Id (Identify Superset application)
          'client_secret':'<...>'
          'api_base_url': f'{OAUTH_BASE_ENDPOINT}/',
          'server_metadata_url': f'{OAUTH_BASE_ENDPOINT}/.well-known/openid-configuration',
          'client_kwargs':{ 'scope': 'openid intertrust_platform email profile' }
      }
  }
]

CUSTOM_SECURITY_MANAGER = TIPSsoSecurityManager

ADDITIONAL INFORMATION

Problem appears in a difference on where security manager is called
Calling self.appbuilder.sm.oauth_remotes[provider].token inside TIPSsoSecurityManager yields proper OAuth access token, but calling current_app.appbuilder.sm.oauth_remotes[provider].token inside TIPPostgresEngineSpec yields None

@betodealmeida betodealmeida force-pushed the gsheets_oauth branch 11 times, most recently from cafd28d to 216fb6d Compare December 10, 2022 03:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dobrych @betodealmeida