Unrelevant Access Denied flash message when starting OIDC authentication flow from a protected endpoint

[McDonnellJoseph]

Bug description

When superset is set-up with oidc for authentication it is common to land on a protected url for example /dashboard.

In the case where the user is logged out he is correctly redirected through the login flow however once the page is loaded an unexpected Access is Denied is flashed on the screen. This flash message is added when the has_access decorator for the protected endpoint is evaluated before the user is logged in.

Adding the following to the AuthOIDCView configuration fixes the issue but a better solution may exist as this risks deleting important flash messages:

if login_user(user, remember=False):
    get_flashed_messages(category_filter=['danger'])

The relevant flash message stems from the following flaskappbuilder/security/decorators.py piece of code:

        permission_str = f"{PERMISSION_PREFIX}{f._permission_name}"
        if self.method_permission_name:
            _permission_name = self.method_permission_name.get(f.__name__)
            if _permission_name:
                permission_str = f"{PERMISSION_PREFIX}{_permission_name}"
        if permission_str in self.base_permissions and self.appbuilder.sm.has_access(
            permission_str, self.class_permission_name
        ):
            return f(self, *args, **kwargs)
        else:
            log.warning(
                LOGMSG_ERR_SEC_ACCESS_DENIED, permission_str, self.__class__.__name__
            )
            flash(as_unicode(FLAMSG_ERR_SEC_ACCESS_DENIED), "danger")
        return redirect(
            url_for(
                self.appbuilder.sm.auth_view.__class__.__name__ + ".login",
                next=request.url,
            )
        )

How to reproduce the bug

1. Have superset configured with oidc as documented.
2. When logged out, access a protected endpoint for example /superset/dashboard/pk
3. An access denied message will be flashed on the screen.

Screenshots/recordings

No response

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Firefox

Additional context

This may stem from my logging configuration as an error is logged by the flask dependency but this does not appear in my superset logs.

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

Hey @McDonnellJoseph! 👋 I'm here to help you tackle this bug and answer any questions you have. Let's squash those pesky bugs together!

To prevent the "Access Denied" flash message when starting the OIDC authentication flow from a protected endpoint in Superset, you can add the OIDC login endpoint to the CSRF exempt list in your superset_config.py file. This can be done by updating the WTF_CSRF_EXEMPT_LIST configuration.

Here is the relevant configuration:

WTF_CSRF_EXEMPT_LIST = ['login/']

This will exempt the OIDC login endpoint from CSRF protection, preventing the "Access Denied" flash message during the authentication flow ^[1].

To continue talking to Dosu, mention @dosu.