-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Okta login is broken #2291
Comments
I've reported this to superset as well @chrispsheehan this is the root cause of why we couldn't login Friday. Weirdly, I can work around this by borrowing code from other lines.
This is a little disgusting, but it seems from the debugger that by the time code reaches this point userinfo was already successfully retrieved from the id token. Probably not a safe work-around 😆 This system was a complete pain to debug. |
Probably worth noting that the sample code I provided lets me login, but does refuse to let me see the /userinfo endpoint... Probably because of the nasty hack workaround above. Again, not a suitable workaround. Edit: it was because I gave the lowest permissions to the user, rather than map the groups from Okta to roles 😊 By changing to default to Admin, I was able to view my own user profile... such fun |
I am actually a little bit mad about this now I've found a fix. It's likely Okta's fault for not having stable URL's, but the design of this library did not make the win easy to receive at all. |
Semi interesting information, was that by configuring the client to say |
If you'd like to report a bug in Flask-Appbuilder, fill out the template below. Provide
any extra information that may be useful
Responsible disclosure:
We want to keep Flask-AppBuilder safe for everyone. If you've discovered a security vulnerability
please report to [email protected].
Environment
Flask-Appbuilder version:
Flask-AppBuilder==4.5.2
pip freeze output:
Describe the expected results
Tell us what should happen.
For a start given the metadata URL other Urls should be discovered, and weirdly it looks like they are in some places, and not others when stepping through in a debugger... Anyway I've got this to the point now where it fails when reading userinfo, but I CURL'ed the endpoint with POST (not GET) and boom, Instant user information...
Minimal reproducible
Describe the actual results
Tell us what happens instead.
So there isn't a traceback as-such, but the userinfo endpoint, which I took from the
me
object in .venv/lib/python3.11/site-packages/flask_appbuilder/security/manager.py`:Gets a 404 with HTML info...
Steps to reproduce
Start a new OAuth app in a free okta developer account
Use the python provided
I am using the following VSCode JSON to launch flask so I can interactively debug
Output from CURL (access token redacted)
curl -v -X POST -H 'Authorization: Bearer <redacted token>' 'https://dev-83615971.okta.com/oauth2/v1/userinfo' | jq
The text was updated successfully, but these errors were encountered: