search

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.71k stars 1.36k forks source link

Wrong url while getting userinfo from Keycloak #2226

Open gioargyr opened 7 months ago

gioargyr commented 7 months ago

If you'd like to report a bug in Flask-Appbuilder, fill out the template below. Provide any extra information that may be useful

Responsible disclosure: We want to keep Flask-AppBuilder safe for everyone. If you've discovered a security vulnerability please report to danielvazgaspar@gmail.com.

Environment

Flask-Appbuilder version: 4.3.11

Describe the expected results

Tell us what should happen.

I use Flask-AppBuilder for managing Auth in Apache Superset through Keycloak: https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration All the URLs I define in remote_app dictionary, have this base URL: https://<my_domain>/realms/<realm_name>/protocol

"api_base_url": "https://<my_domain>/realms/<realm_name>/protocol"
"authorize_url": "https://<my_domain>/realms/<realm_name>/protocol/openid-connect/auth"
"access_token_url": "https://<my_domain>/realms/<realm_name>/protocol/openid-connect/token"

Somehow, when the application searches for user info, it raises this error:

ERROR:flask_appbuilder.security.views:Error returning OAuth user info: 404 Client Error: Not Found for url: https://<my_domain>/realms/<realm_name>/openid-connect/userinfo

As you can see, it omits /protocol in the URL, so it returns error 404. Is there any variable I can define so that flask_appbuilder will use the correct URL when tries to retrieve ?

Describe the actual results

Tell us what happens instead. When the application searched for user info, it raises this error: ERROR:flask_appbuilder.security.views:Error returning OAuth user info: 404 Client Error: Not Found for url: https://<my_domain>/realms/<realm_name>/openid-connect/userinfo

Steps to reproduce

For reproducing this issue you need to deploy Superset on Kubernetes and have a Keycloack instance for managing auth.

gugupy commented 7 months ago

If you have made custom oauth configuration make sure you have called the userinfo api for keycloak like below,

self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo")
mdsharpe commented 2 weeks ago

You might just need to make sure your api_base_url ends with /.