Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO issue with Apache Superset #14056

Closed
3 tasks done
SajithTS opened this issue Dec 6, 2024 · 5 comments
Closed
3 tasks done

SSO issue with Apache Superset #14056

SajithTS opened this issue Dec 6, 2024 · 5 comments
Assignees
@cwomack
Labels
Angular Related to Angular 2+ Auth Related to Auth components/category duplicate If marked with duplicate, issue will be closed & original will be added for traceability OAuth For issues related to OAuth question General question

Comments

@SajithTS
Copy link

SajithTS commented Dec 6, 2024

Before opening, please confirm:

JavaScript Framework

Angular

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

System:
    OS: Linux 6.8 Ubuntu 22.04.5 LTS 22.04.5 LTS (Jammy Jellyfish)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
    Memory: 4.09 GB / 15.37 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 18.20.4 - ~/.nvm/versions/node/v18.20.4/bin/node
    npm: 10.7.0 - ~/.nvm/versions/node/v18.20.4/bin/npm
  Browsers:
    Chrome: 130.0.6723.91
  npmPackages:
    @angular-devkit/build-angular: ^17.3.8 => 17.3.10 
    @angular/animations: ^17.3.11 => 17.3.12 
    @angular/cdk: ^17.3.10 => 17.3.10 
    @angular/cli: ~17.3.8 => 17.3.10 
    @angular/common: ^17.3.11 => 17.3.12 
    @angular/compiler: ^17.3.11 => 17.3.12 
    @angular/compiler-cli: ^17.3.11 => 17.3.12 
    @angular/core: ^17.3.11 => 17.3.12 
    @angular/forms: ^17.3.11 => 17.3.12 
    @angular/material: ^17.3.10 => 17.3.10 
    @angular/platform-browser: ^17.3.11 => 17.3.12 
    @angular/platform-browser-dynamic: ^17.3.11 => 17.3.12 
    @angular/router: ^17.3.11 => 17.3.12 
    @types/google.maps: ^3.51.0 => 3.58.1 
    @types/jasmine: ~4.3.0 => 4.3.6 
    aws-amplify: ^6.6.2 => 6.6.3 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    buffer: ^4.9.2 => 4.9.2 (5.7.1)
    git-describe: ^4.1.1 => 4.1.1 
    jasmine-core: ~4.5.0 => 4.5.0 
    karma: ~6.4.0 => 6.4.4 
    karma-chrome-launcher: ~3.1.0 => 3.1.1 
    karma-coverage: ~2.2.0 => 2.2.1 
    karma-coverage-coffee-example:  1.0.0 
    karma-jasmine: ~5.1.0 => 5.1.0 
    karma-jasmine-html-reporter: ~2.0.0 => 2.0.0 
    moment: ^2.29.4 => 2.30.1 
    rxjs: ~7.8.0 => 7.8.1 
    rxjs/ajax:  undefined ()
    rxjs/fetch:  undefined ()
    rxjs/operators:  undefined ()
    rxjs/testing:  undefined ()
    rxjs/webSocket:  undefined ()
    tslib: ^2.3.0 => 2.7.0 (2.6.2)
    typescript: ~5.4.5 => 5.4.5 
    zone.js: ~0.14.7 => 0.14.10 
  npmGlobalPackages:
    @angular/cli: 17.3.8
    corepack: 0.28.0
    npm: 10.7.0

Describe the bug

I am using Angular v17 in my project, with authentication handled by AWS Cognito. Apache Superset is also integrated into my application. Previously, I was using the Cognito Hosted UI for the authentication process, and Superset would automatically log in if I was already authenticated in the application.

However, I recently created a custom login page using AWS Amplify with Cognito. After this change, Superset now prompts for authentication and redirects to the Cognito Hosted UI.

Expected behavior

With the Amplify Hosted Login UI version of my application, Superset single sign-on (SSO) was working fine. I am expecting the same SSO functionality with the custom login as well.

Reproduction steps

  1. Login angular application with custom login UI based on amplify cognito auth
  2. Write url redirection logic in any component as below
  loadSuperset(){
    let url = `${environment.supersetUrl}/login/cognito?role=${this.role}`;
    window.open(url,'_self');
  }
  1. Check whether this redirection loading the superset home page without prompting authentication

Code Snippet

Custom login UI Login button click

async submitLogin() {
  let uname:String = this.form.get('username').value;
  let pwd:String = this.form.get('password').value;
  const { nextStep } = await signIn({
        username: uname.trim(),
        password: pwd.trim()
   })
}

Superset page redirection

loadSuperset(){
    let url = `${environment.supersetUrl}/login/cognito?role=${this.role}`;
    window.open(url,'_self');
}
<button mat-flat-button (click)="loadSuperset()">Load Superset</button>

Log output

// Put your logs below this line

aws-exports.js

import { ResourcesConfig } from "aws-amplify";
import { environment } from "../src/environments/environment";
const awsAmplifyConfig: ResourcesConfig = {
    Auth: {
        Cognito: {
            userPoolId: XXXXXXX,
            userPoolClientId: XXXXXXX,
            signUpVerificationMethod: 'code',
            loginWith: {
                oauth: {
                    domain: MYDOMAIN,
                    scopes: [
                        "phone",
                        "email",
                        "openid",
                        "profile",
                        "aws.cognito.signin.user.admin"
                    ],
                    redirectSignIn: [environment.signIn],
                    redirectSignOut: [environment.signout],
                    responseType: 'code'
                }
            }
        }
    }
};


export default awsAmplifyConfig;

Manual configuration

No response

Additional configuration

Superset config

OAUTH_PROVIDERS = [
    {
        'name': 'cognito',
        'token_key': 'access_token',
        'icon':'fa-address-card',
        'remote_app': {
            'client_id':'XXXXXX',
            'client_secret':None,
            'client_kwargs': {
                'scope': 'openid email profile'
            },
            'response_type': 'code',
            'api_base_url': 'https://my-domain.auth.region.amazoncognito.com',
            'access_token_url': 'https://my-domain.auth.region.amazoncognito.com/oauth2/token',
            'authorize_url': 'https://my-domain.auth.region.amazoncognito.com/oauth2/authorize',
            'userinfo_endpoint': 'https://my-domain.auth.region.amazoncognito.com/oauth2/userInfo',
            'jwks_uri':'https://cognito-idp.region.amazonaws.com/region/.well-known/jwks.json',
            'logout_redirect_uri': 'https://dom.local.dom2.ai:8088/login'
        }
    }
]

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@github-actions github-actions bot added pending-triage Issue is pending triage pending-maintainer-response Issue is pending a response from the Amplify team. labels Dec 6, 2024
@HuiSF HuiSF added Auth Related to Auth components/category OAuth For issues related to OAuth question General question labels Dec 6, 2024
@github-actions github-actions bot removed the pending-triage Issue is pending triage label Dec 6, 2024
@HuiSF
Copy link
Member

HuiSF commented Dec 6, 2024

Hi @SajithTS thanks for opening this issue. I'm not familiar with how Apache Superset interacts with the Amazon Cognito Hosted UI endpoints. Once difference I can think of here between using Hosted UI and your custom sign in form is that Hosted UI may write session cookies under the Hosted UI domain, but the signIn() API of the JS library doesn't got through Hosted UI at all.

Could you inspect the network traffic when loadSuperset() gets invoked, and see if there are any requests send to the access_token_url, authorize_url and userinfo_endpoint URLs, and if there are any failures?

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending a response from the Amplify team. label Dec 6, 2024
@HuiSF HuiSF added the pending-community-response Issue is pending a response from the author or community. label Dec 6, 2024
@SajithTS
Copy link
Author

SajithTS commented Dec 8, 2024

Thanks @HuiSF for the quick response.

Here is the network results while loading the superset,

https://my-domain.auth.region.amazoncognito.com/oauth2/authorize?response_type=code ........

And the response code is 302 Found

Which result in calling the below resource

https://my-domain.auth.region.amazoncognito.com/login?response_type=code

No other requests are showing

@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Dec 8, 2024
@cwomack
Copy link
Member

cwomack commented Dec 10, 2024

@SajithTS, when you state that "Previously, I was using the Cognito Hosted UI for the authentication process, and Superset would automatically log in if I was already authenticated in the application..." are you calling signInWithRedirect() in your app at all or is Apache Superset handling the sign-in flow directly? Or were you using the signInWithRedirect API prior to incorporating Superset in any way?

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending a response from the Amplify team. label Dec 10, 2024
@cwomack cwomack added the pending-community-response Issue is pending a response from the author or community. label Dec 10, 2024
@cwomack cwomack self-assigned this Dec 10, 2024
@SajithTS
Copy link
Author

@SajithTS, when you state that "Previously, I was using the Cognito Hosted UI for the authentication process, and Superset would automatically log in if I was already authenticated in the application..." are you calling signInWithRedirect() in your app at all or is Apache Superset handling the sign-in flow directly? Or were you using the signInWithRedirect API prior to incorporating Superset in any way?

@cwomack Apache Superset is handling the sign-in flow directly without any additional function calls. We are just including few auth configuaration options in the Superset project. That configuration is showing below

OAUTH_PROVIDERS = [
    {
        'name': 'cognito',
        'token_key': 'access_token',
        'icon':'fa-address-card',
        'remote_app': {
            'client_id':'XXXXXX',
            'client_secret':None,
            'client_kwargs': {
                'scope': 'openid email profile'
            },
            'response_type': 'code',
            'api_base_url': 'https://my-domain.auth.region.amazoncognito.com',
            'access_token_url': 'https://my-domain.auth.region.amazoncognito.com/oauth2/token',
            'authorize_url': 'https://my-domain.auth.region.amazoncognito.com/oauth2/authorize',
            'userinfo_endpoint': 'https://my-domain.auth.region.amazoncognito.com/oauth2/userInfo',
            'jwks_uri':'https://cognito-idp.region.amazonaws.com/region/.well-known/jwks.json',
            'logout_redirect_uri': 'https://dom.local.dom2.ai:8088/login'
        }
    }
]

Note:
We are using the signIn() API in our angular application and that is works good.

@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Dec 12, 2024
@cwomack cwomack added Angular Related to Angular 2+ duplicate If marked with duplicate, issue will be closed & original will be added for traceability labels Dec 12, 2024
@cwomack
Copy link
Member

cwomack commented Dec 13, 2024

@SajithTS, after doing a little more investigation on this... it looks like Amplify and Superset are not compatible in this way currently until we have support for initiating auth flows from external, 3rd party IDP's (as captured in feature request #13343). We'll consolidate this issue into #13343, but please upvote or comment on that issue to help the feature request gain community traction.

@cwomack cwomack closed this as not planned Won't fix, can't repro, duplicate, stale Dec 13, 2024
@github-actions github-actions bot removed the pending-maintainer-response Issue is pending a response from the Amplify team. label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwomack cwomack

Labels
Angular Related to Angular 2+ Auth Related to Auth components/category duplicate If marked with duplicate, issue will be closed & original will be added for traceability OAuth For issues related to OAuth question General question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HuiSF @SajithTS @cwomack