[QA][superset & keycloak] flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.

[wangliang-shanks]

install superset on k8s (superset version is 4.0.0) and integrate with keycloak （ Authlib==1.3.0）

• OAuth2 Configuration (https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx )
• Bypass Superset keycloak OAUTH login page (Bypass Superset keycloak OAUTH login page dpgaspar/Flask-AppBuilder#2225)

now, the login process is worked well , but error message “flask_wtf.csrf.CSRFError: 400 Bad Request: missing CSRF token” appears.
when using “self.appbuilder.sm.oauth_remotes[provider].get(‘userDetails’).data”，how do I fix it?

The source code is as follows

1. extraSecrets:
   custom_sso_security_manager.py

@expose("/login/")
@expose("/login/<provider>")
def login(self, provider: Optional[str] = None) -> WerkzeugResponse:
            if provider is None:
               providers = [k for k in self.appbuilder.sm.oauth_remotes.keys()]
               if len(providers) == 1:
                   provider = providers[0]
            if g.user is not None and g.user.is_authenticated:
              # other code
              info = self.appbuilder.sm.oauth_remotes[provider].get('userDetails').data
              # other code
            else:
              logging.debug("Going to call authorize for: %s", provider)
              random_state = generate_random_string()
              state = jwt.encode(
                request.args.to_dict(flat=False), random_state, algorithm="HS256"
              )
              session["oauth_state"] = random_state
              try:
                return self.appbuilder.sm.oauth_remotes[provider].authorize_redirect(
                    redirect_uri=url_for(
                        ".oauth_authorized", provider=provider, _external=True
                    ),
                    state=state.decode("ascii") if isinstance(state, bytes) else state,
                )
              except Exception as e:
                logging.error("Error on OAuth authorize: %s", e)
                flash(as_unicode(self.invalid_login_message), "warning")
                return redirect(self.appbuilder.get_url_for_index)

2. config

AUTH_TYPE = AUTH_OAUTH
      OAUTH_PROVIDERS = [
        {   
          'name':'keycloak',
          'token_key': 'access_token',
          'remote_app': {
            'client_id':'xxxxxxxxx',
            'client_secret': '',
            'api_base_url': 'https://xxxxxx/auth/realms/xxxxxxxx/protocol/',
            'client_kwargs':{
                'scope': 'openid email profile'
            },
            'access_token_url':'https://xxxxxxxx/auth/realms/xxxxxx/protocol/openid-connect/token',
            'authorize_url':'https://xxxxxxxxxx/auth/realms/xxxxxx/protocol/openid-connect/auth',
            'jwks_uri': 'https://xxxxxxxauth/realms/xxxxxxx/protocol/openid-connect/certs'
          }
        }
      ]

3. log

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 261, in protect
    validate_csrf(self._get_csrf_token())
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 100, in validate_csrf
    raise ValidationError("The CSRF token is missing.")
wtforms.validators.ValidationError: The CSRF token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1821, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2313, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
    self.protect()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 264, in protect
    self._error_response(e.args[0])
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.