Apache superset with Okta integration

Question

https://github.com/apache/superset/issues/13948

I am configuring Okta with Apache Superset but it's redirecting me to the login page after authentication with message 'invalid login. Please try again.'

Below is my superset_config.py file:

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
         'name': 'okta', 'icon': 'fa-circle-o',
         'token_key': 'access_token',
         'remote_app': {
             'client_id': '0oa8hoe9t1c8LfB1z357',
             'client_secret': 'b8exxJID0BQOXlvMlQa5To5frU4EY7FX3cXDOMLM',
             'api_base_url': 'https://dev-514411.okta.com/oauth2/v1/',
             'client_kwargs': {
                 'scope': 'openid profile email groups'
             },
             'access_token_url': 'https://dev-514411.okta.com/oauth2/v1/token',
             'authorize_url': 'https://dev-514411.okta.com/oauth2/v1/authorize'
         }
    }
]

Answer 1

Okta integration was supposed to work out of the box since Flask-AppBuilder 3.2.2, but it's not the case.

Here's what worked for me:

On your Okta's app settings, the field Sign-in redirect URIs should look something like this:

http://localhost:8088/oauth-authorized/okta

Your superset_config.py should contain something similar to this:

OKTA_BASE_URL = 'https://dev-<your-okta-id>.okta.com'

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        'name': 'okta',
        'token_key': 'access_token',
        'icon': 'fa-circle-o',
        'remote_app': {
            'client_id': OKTA_CLIENT_ID,
            'client_secret': OKTA_CLIENT_SECRET,
            'client_kwargs': {
                'scope': 'openid profile email groups'
            },
            'access_token_method': 'POST',
            'api_base_url': f'{OKTA_BASE_URL}/oauth2/v1/',
            'access_token_url': f'{OKTA_BASE_URL}/oauth2/v1/token',
            'authorize_url': f'{OKTA_BASE_URL}/oauth2/v1/authorize',
            'server_metadata_url': f'{OKTA_BASE_URL}/.well-known/openid-configuration',
        },
    }
]


from custom_sso_security_manager import CustomSsoSecurityManager
CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

And finally, your custom_sso_security_manager.py, that must live on the same directory as your superset_config.py, should contain something like this:

from superset.security import SupersetSecurityManager


class CustomSsoSecurityManager(SupersetSecurityManager):

    def oauth_user_info(self, provider, response=None):

        if provider == 'okta':
            user_info = self.appbuilder.sm.oauth_remotes[provider].parse_id_token(
                response)

            return {
                'name': user_info['name'],
                'email': user_info['email'],
                'id': user_info['email'],
                'username': user_info['email']
            }

The important attributes on the object oauth_user_info returns are email and username, which will be used to match against your database's ab_user table records. If there isn't a matching record then the login will fail.