How can I bypass login page for Superset when using OAuth2 for authentication?

Question

I am using Superset 0.36 and set up successfully OAuth2 login using my SSO- Okta. However the redirect uri http://[site]:8088/oauth-authorized/okta that needs to be configured for Flask Application Builder to work redirects to a login page where the user needs to choose a provider and click sign-in. This is an unnecessary step since the user already logged into Okta and should not need to login again.

Can someone help with any FAB configuration that would help set up an auto login using OAuth2 so that we can bypass this redundant login page which my users find confusing and sometimes get stuck on. If there is no way to bypass it can someone tell me how I can customize the login page to instruct users how to use it?

Answer 1

To bypass the Superset login you can extend the AuthOAuthView.login method to check if provider is None, and if there’s only one OAuth provider, assign it directly. Then you can define a custom security manager that uses this modified AuthOAuthView.

You can see the code for how to do it in this Github comment

Answer 2

I had the same issue (although not with Okta, and version 0.37). From the javascript in that login page I figured out the final URL. Look at the signin function that’s called when you click the button:

function signin() {
    if (currentSelection != "") {
        window.location.href = baseLoginUrl + currentSelection + next;
    }
}

In your case I guess it would be something like:

http://[site]:8088/login/okta/?next=[dashboard]

Disclaimer: I’m absolutely not sure if this is the proper way to do it, but in my case it was just a POC so it didn’t matter much.

Also you should make sure you understand those 3 settings in superset_config.py regarding the Superset session cookie behavior in HTTP vs. HTTPS:

SESSION_COOKIE_HTTPONLY = False
SESSION_COOKIE_SAMESITE = "None"
SESSION_COOKIE_SECURE = True

And of course this makes sense only if you want to allow 1 authentication provider.