Oauth registration not working

[nelson-lark]

A clear and concise description of what the bug is.

New users are not able to register.
The custom Oauth flow appears to get the authentication and user info, but then never registers a new users in superet.
Results in an infinite loop of redirects when there is only one oauth provider.

Expected results

New user registration works.

Actual results

If I only have one oauth provider, i get an infinite loop of requests. It successfully authenticates against the id provider (in this case, aws cognito), completes the cusomt oauth_user_info step (i can see results in the log), but never actually registers the user. Ergo, login will not work, and if only one auth provider, will begin to infinite loop.

Screenshots

If applicable, add screenshots to help explain your problem.

How to reproduce the bug

1. Add an oauth configuration.
2. Startup the docker-compose non-dev environment
3. navigate to /login
4. complete authentication
5. infinite loop

Environment

• ChromeOS
• superset: current master branch
• python: 3.7
• node is not installed
• current configuration (minus the boilerplate logging and database setups):

ENABLE_PROXY_FIX = True
from flask_appbuilder.security.manager import (AUTH_DB, AUTH_OAUTH)

AUTH_TYPE = AUTH_OAUTH

COGNITO_URL=os.environ.get("COGNITO_URL")

OAUTH_PROVIDERS = [
    {
        "name": "awscognito",
        "whitelist": [],
        "icon": "fa-amazon",
        "token_key": "access_token",
        "remote_app": {
            "client_id": os.environ.get("COGNITO_KEY"),
            "client_secret": os.environ.get("COGNITO_SECRET"),
            "token_key": "access_token",
            "api_base_url": os.path.join(COGNITO_URL, ''),
            "client_kwargs": {
                "scope": "email profile openid"
            },
            "request_token_url": None,
            "access_token_url": os.path.join(COGNITO_URL, 'oauth2/token'),
            "authorize_url": os.path.join(COGNITO_URL, 'oauth2/authorize')
        }
    },
    {
        'name': 'twitter',
        'icon': 'fa-twitter',
        'token_key': 'access_token',
        'remote_app': {T
            "client_id": os.environ.get("TWITTER_ID"),
            "client_secret": os.environ.get("TWITTER_SECRET"),
            "request_token_url": 'https://api.twitter.com/oauth/request_token',
            "request_token_params": None,
            "access_token_url": 'https://api.twitter.com/oauth/access_token',
            "access_token_params": None,
            "authorize_url": 'https://api.twitter.com/oauth/authenticate',
            "authorize_params": None,
            "api_base_url": 'https://api.twitter.com/1.1/',
            "client_kwargs": None,
        }
    }
]

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
SECRET_KEY = "thisismyscretkey"

from superset.security import SupersetSecurityManager
import jwt

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider, response=None):
        if provider == "awscognito":
            logger.debug("PROVIDER-IS-COGNITO")
            id_token = response["id_token"]
            userInfo = jwt.decode(id_token, verify=False)
            groups   = userInfo["cognito:groups"]
            userName = userInfo["cognito:username"]
            fullName = userInfo["name"]
            email    = userInfo["email"]
            logger.debug(email)
            logger.debug(userName)
            return { 
                'fullname' : fullName, 
                'email' : email, 
                'username' : userName, 
                'first_name':'', 
                'last_name':''
                }
        else:
            return {}

CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

[mandeeplohan]

Hi Nelson,
is user able to sign in? I used similar configs. For my case signin and register both are failing. #16749

I need only signin if that is working for you? would be really helpful to me .

[nelson-lark]

@mandeeplohan For my problem I just discovered, whitelist can not be an empty array. I must either remove the parameter, or put my email domain in there.

Looking at your issue, it looks like it's redirecting you back to "https", rather than "http", which is why the site can't be found. Just remove the "s" on the return url and yours will probably work.
Some Oauth providers sometimes only allow https redirects. I know Slack is like that, maybe Ping also.

[mandeeplohan]

@nelson-lark Yeah that might be the issue. Provider and i configured it to http only. However, it is coming back with https
My provider confirmed that it will use https only. So we changed redirect url to https at his end and my end.
But still same issue and Also it is still doing http call only and coming back with https even we changed it to https.
Any idea here?

[nelson-lark]

Sorry, I'm confused by your question. It's replying with https, but as you stated: "My provider confirmed that it will use https only."

…

On Tue, Sep 21, 2021, 8:00 AM mandeeplohan ***@***.***> wrote: @nelson-lark <https://github.com/nelson-lark> Yeah that might be the issue. Provider and i configured it to http only. However, it is coming back with https My provider confirmed that it will use https only. So we changed redirect url to https at his end and my end. But still same issue and Also it is still doing http call only and coming back with https even we changed it to https. Any idea here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16759 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUYCKAG37H5WNYFYQPYVEO3UDCMXRANCNFSM5EOI6PYQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.