Single Sign On - Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response.

[Piyush-Fury]

Bug description

Hello everyone, We are trying to add the OAUTH login using the Authentik identity server. We have setup the configuration as per the documentation. You can find the OAUTH configuration below.

postgresql:
postgresqlPassword: superset

configOverrides:
secret: |
import os
SECRET_KEY = '<>'

enable_oauth: |
# Enable proxy fix for correct redirect_uri computation
ENABLE_PROXY_FIX = True
FEATURE_FLAGS = {"DYNAMIC_PLUGINS": True}

# Install required dependencies
import os
os.system('pip install packaging==21.3 psycopg2-binary grpcio authlib pillow')

from flask_appbuilder.security.manager import AUTH_OAUTH
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        "name": "authentik",
        "icon": "fa-lock",
        "token_key": "access_token",
        "remote_app": {
            "client_id": '0lFhO8Z72zThVO2byPClFaNp0vBz0dVV5cKJ7cw9',
            "client_secret": <>',
            "api_base_url": "http://authentik.piyush.today/application/o/",
            "client_kwargs": {"scope": "openid email profile"},
            "request_token_url": None,
            "access_token_url": "<>",
            "authorize_url": "<>",
            "jwks_uri": "<>",
            "redirect_uri": "<>",
            "server_metadata_url": "<>",
            "issuer": "<>"
        },
    }
]

# Map Authlib roles to Superset roles
AUTH_ROLE_ADMIN = 'Admin'
AUTH_ROLE_PUBLIC = 'Public'

# Allow user self-registration
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"

# Configure SESSION_PROTECTION
SESSION_PROTECTION = "basic"

###########################
SQLALCHEMY_DATABASE_URI = f"postgresql+psycopg2://{os.getenv('POSTGRES_USER')}:{os.getenv('POSTGRES_PASSWORD')}@{os.getenv('POSTGRES_HOST')}:{os.getenv('POSTGRES_PORT')}/{os.getenv('POSTGRES_DB')}"

###########################
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = 60 * 60 * 24 * 365

try:
    import psycopg2
except ModuleNotFoundError:
    os.system('pip install psycopg2-binary')

# Flask Session Configuration (Highlighted New Additions)
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = False  # Since you are on HTTP, not HTTPS
SESSION_COOKIE_SAMESITE = "Lax"  # Good default for basic protection
PERMANENT_SESSION_LIFETIME = 3600  # Session expiry time in seconds

bootstrapScript: |
#!/bin/bash
pip install psycopg2==2.9.6
sqlalchemy-bigquery==1.6.1
elasticsearch-dbapi==0.2.5 &&
pip install --no-cache-dir packaging==21.0 &&
if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{ .Values.runAsUser }}" > ~/bootstrap; fi

extraEnv:
AUTH_DOMAIN: authentik.piyush.today
SESSION_COOKIE_SECURE: "True"
SESSION_COOKIE_HTTPONLY: "True"
SESSION_TIMEOUT: "3600"
SECRET_KEY: "<>"
AUTHENTIK_OAUTH_REDIRECT_URI: "http://superset.piyush.today/oauth-authorized/authentik"

Highlighted New Configuration

SESSION_COOKIE_DOMAIN: "superset.piyush.today" # Added domain to cookies
POSTGRES_USER: "superset"
POSTGRES_PASSWORD: "superset"
POSTGRES_DB: "superset"
POSTGRES_HOST: "superset-postgresql"
POSTGRES_PORT: "5432"

extraSecretEnv:

• name: SECRET_KEY
  secretName: superset-secret
  key: SECRET_KEY
• name: AUTHENTIK_CLIENT_ID
  secretName: authentik-client-id-secret
  key: AUTHENTIK_CLIENT_ID
• name: AUTHENTIK_CLIENT_SECRET
  secretName: authentik-client-secret-secret
  key: AUTHENTIK_CLIENT_SECRET

ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/scheme: "internet-facing"
alb.ingress.kubernetes.io/target-type: "ip"
alb.ingress.kubernetes.io/load-balancer-name: "aws-alb-superset"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/success-codes: "200"
alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
alb.ingress.kubernetes.io/security-groups: "sg-0e7244a820c5e03ce"
alb.ingress.kubernetes.io/subnets: "subnet-0e93acffe7efb7530,subnet-064a10482338a08a4,subnet-010368913ca69b726"
path: /
pathType: Prefix
hosts:
- superset.piyush.today
ingressClassName: alb

After successful login, the user is again redirected to the login page, I checked the container logs, We are getting this following error

ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response

I am searching for solutions, most of the github issues from other projects, didn't seem to help. Any help would be much appreciated. Thank you.

helm vhart : 0.10.9
Superset Version: 3.0.0

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

I don't know

Node version

I don't know

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

Hey there, @Piyush-Fury! I'm here to assist you with any bugs, questions, or contributions. Let's work together to resolve the issue.

I found a similar discussion regarding a "Recursive login loop" issue, which might be related to your problem. This issue was addressed by a fix included in Superset version 3.1.0. However, users of versions 3.0.0 to 3.0.2 might still encounter this problem. The discussion suggests adding "session_cookie_secure": False to your Talisman CSP if you do not have HTTPS configured. You can find more details in the discussion here ^[1].

Additionally, ensure that your ENABLE_PROXY_FIX setting is correctly configured, as it helps compute the redirect_uri properly, especially when SSL offloading is involved. This setting is crucial for environments using a proxy or load balancer ^[2][3][4].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dosubot[bot]]

I found a similar issue regarding the "mismatching_state: CSRF Warning! State not equal in request and response" error when setting up OAuth login with Authentik in Apache Superset. This issue was addressed in Superset version 3.1.0. For versions 3.0.0 to 3.0.2, it is suggested to add "session_cookie_secure": False to your Talisman CSP if you do not have HTTPS configured. Additionally, ensure that your ENABLE_PROXY_FIX setting is correctly configured, as it helps compute the redirect_uri properly, especially when SSL offloading is involved ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[Piyush-Fury]

@dosu the configurations you suggested me to add or change i have already done that and the issue is same.
ENABLE_PROXY_FIX = True
SESSION_COOKIE_SECURE: "False"

[dosubot[bot]]

Upgrading to Superset version 3.1.0 is recommended, as it addresses the CSRF state mismatch issue. If you're still encountering the problem after applying the suggested configurations, ensure that all related settings are correctly implemented. Double-check your redirect_uri and other OAuth settings to ensure they match the expected values. If the issue persists, consider reviewing any proxy or load balancer configurations that might affect the request and response flow ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}