Superset throws access is denied error when viewing dashboard even after signing in.

[MalavikaN1]

Bug description

I have a link to a dashboard. When I click on the link , it redirects to to login page. After logging in, the dashboard is displayed, but Access Denied toaster appears twice. We have used Oauth authentication.

How to reproduce the bug

1. Get the link to a particular dashboard.
2. Click on the link and open it in Incognito.
3. Redirect to Login, then login
4. Dashboard is displayed but access denied is shown.

Screenshots/recordings

![Uploading Screenshot 2024-05-23 171641.png…]()

Superset version

3.1.3

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

To resolve the "Access Denied" error that appears twice when viewing a dashboard in Superset after logging in with OAuth authentication, you can try the following steps:

1. Verify OAuth Configuration: Ensure that the OAuth configuration in Superset is correctly set up and that the OAuth provider is correctly passing the necessary credentials. Check the functions handling OAuth2 token management in superset/utils/oauth2.py.

2. Check User Permissions: Make sure the user has the appropriate permissions to access the dashboard and the underlying data sources. Verify the roles and permissions assigned to the user in Superset.

3. OAuth2 Authentication Flow: When a user without credentials tries to access a database that supports OAuth2, the backend will raise an OAUTH2_REDIRECT error. This will prompt the frontend to display a message informing the user they need to authenticate. The user will be redirected to an OAuth2 authentication process, and upon successful authorization, their personal access token will be stored for subsequent connections.

4. Superset Logs: Check the Superset logs for more detailed error messages that might provide additional context about why the access is being denied.

Additionally, there is a known issue related to OAuth authentication in Superset version 3.1.3 that could cause "Access Denied" errors. You can find more details about this issue in the GitHub repository: Issue #20300.

By addressing these potential issues, you should be able to resolve the "Access Denied" error when viewing a dashboard in Superset.

#### Details

**Sources** - [Access is denied for anonymous user](https://github.com/apache/superset/discussions/25299) - [Dashboards should be loaded with current user access rights, not with dashboard owner's access rights](https://github.com/apache/superset/issues/28214) - [UI Issue - Access Denied error pops up on initial load even for admin user.](https://github.com/apache/superset/issues/19884) - [Superset API IMPORT throw into Login Redirect page](https://github.com/apache/superset/issues/22407) - [superset/errors.py](https://github.com/apache/superset/blob/master/superset/errors.py) - [superset/utils/oauth2.py](https://github.com/apache/superset/blob/master/superset/utils/oauth2.py) - [superset-frontend/src/components/ErrorMessage/OAuth2RedirectMessage.tsx](https://github.com/apache/superset/blob/master/superset-frontend/src/components/ErrorMessage/OAuth2RedirectMessage.tsx) - [superset/config.py](https://github.com/apache/superset/blob/master/superset/config.py)
**About Dosu** This response is meant to be useful and save you time. It is **not meant to be a precise solution**, but rather a starting point for your own research. Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

[MalavikaN1]

This is what happens, when a user without credentials tries to access a database that supports OAuth2, the backend will raise an OAUTH2_REDIRECT error. This will prompt the frontend to display a message informing the user they need to authenticate. The user will be redirected to an OAuth2 authentication process, and upon successful authorization, their personal access token will be stored for subsequent connections. But even after successful authorization , the Access is denied toaster is displayed

[MalavikaN1]

@Dosu Any updates on this?

[dosubot[bot]]

To resolve the "Access Denied" error that appears even after successful OAuth2 authorization, you should ensure the following:

1. Verify User Permissions: Ensure that the user has the necessary permissions to access the dashboard and the underlying data sources. This includes checking the user's roles and permissions in Superset ^[1].

2. Check OAuth Configuration: Ensure that the OAuth authentication is correctly configured and that the user is properly authenticated. Misconfigurations in OAuth settings can lead to access issues ^[2].

3. Handle OAuth2 Redirect: Ensure that the OAuth2 redirect process is working correctly. The user should click the provided link to start the OAuth2 authentication process, and after successful authentication, the user should be redirected back to Superset with their access token stored. The original query should be re-run automatically once the authentication is successful ^[3].

4. Database Permissions: Verify that the user has the correct permissions on the database, including access to the database, tables, and schemas required by the dashboard ^[1].

5. Superset Logs: Check the Superset logs for more detailed error messages that can provide additional context on why the access is denied ^[2].

By ensuring these steps are correctly followed, you should be able to resolve the "Access Denied" error after successful OAuth2 authorization.

To continue talking to Dosu, mention @dosu.

[MalavikaN1]

@dosu I've tried everything mentioned above, still facing the same error.

[dosubot[bot]]

@rusackas, this one's a bit out of my wheelhouse, could you step in and provide your guidance?

To continue talking to Dosu, mention @dosu.

[rusackas]

The screenshot is broken, but I can't help but wonder if the user in question indeed has access to the dashboard and data. This sounds like an RBAC/config issue more than a Superset bug, I'm afraid.

[MalavikaN1]

@rusackas Yes, the user has access to the dashboard and data. I think the problem is with the initial loading. On clicking on the link since the user is not signed in, it redirects to login page, where the access denied should've been shown. Since an OAuth integration is used and the login page is different, the error message is not shown and only after signing in, the message from earlier is shown.

[rusackas]

Ahh, ok. I don't recall all the details, but the login page takes a redirection URL param, which can send the user back to the correct page after authorizing.

[MalavikaN1]

Any updates on this? How can the error message be prevented from propagating to the home page after signing in? Or is there any way to not show the toaster since the user is already logged in.

[MalavikaN1]

@rusackas

[rusackas]

Not sure how to repro this. I'm assuming you're using a custom security manager or have a config issue of some sort. This is not an issue on Preset instances, so I don't think it's an issue with Superset itself.

[SharonCastel]

This error makes our customers wonder what is wrong here.... how can we prevent it?

[MasMadd]

Hello, I have the same problem here, using a Keycloak Security Manager and I am struggling to find a solution, any ideas even to 'hide' that label?

[EinavDanielDX]

Hi, I'm experiencing a similar issue with Superset 4.0.0.

In my case, I’m using a custom security manager to implement SSO. It seems that when I try to access a dashboard before a session is created (e.g., the first time I log in for the day), Superset redirects from the dashboard to a login page and then back to the dashboard.

The issue is that the login page doesn’t exist because we use SSO, so a pop-up appears in the background even though the user logs in automatically.

[nandwalritik]

Did anyone found any solution I am facing same issue while logging in as admin for the first time, although on subequent login it doesn't occurs.

[nandwalritik]

@EinavDanielDX @MalavikaN1 Did you guys found any fix, it hard to debug even becuase

• It doesn't leaves any logs.
• It occurs only first time during the day when we login, and will work fine for whole day.

@rusackas If there is any workaround please let me know.

[MalavikaN1]

@EinavDanielDX @nandwalritik You can fix this by clearing out the existing client session flash messages when logging in. Just do session.pop('_flashes', None)

[nandwalritik]

@MalavikaN1 Thanks for replying, not sure where should I add this. I will tell you about my implementation. Maybe you can help me after that.

We have integrated dashboard using embedded sdk, also I have overrided the login with below logic.

    def login(self):
            username = request.args.get("username")
            password = request.args.get("password")
            redirect_url= request.args.get("redirect")
            user = self.appbuilder.sm.auth_user_db(username, password)
            if user:
                # print("")
                login_user(user, remember=False)
                print(user,self.appbuilder.get_url_for_index)
                if redirect_url is not None:
                    return redirect(redirect_url)
                return redirect(self.appbuilder.get_url_for_index)

            elif g.user is not None and g.user.is_authenticated():
                if redirect_url is not None:
                    return redirect(redirect_url)

                return redirect(self.appbuilder.get_url_for_index)
            else:
                return super(CustomAuthDBView,self).login()

So Where should we do this session.pop("_flashes",None)?

• In the base application where we have embedded the dashboards (because we are receiving the pop ups) in that
• Or somewhere inside the login?

[MalavikaN1]

@nandwalritik can you try adding it before returning the redirect url