GitHub user dosubot[bot] added a comment to the discussion: ### Bug: SSO Logout Not Working with Keycloak + Iframe Embedded Superset
<!-- Greeting --> Hi @maazwaheed123! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The behavior you're seeing—where logging out of your main Keycloak-authenticated app does not log the user out of Superset embedded in an iframe—is a common challenge with Single Logout (SLO) in OIDC setups, especially when applications manage their own sessions and are embedded in iframes. Superset's logout process, when using a custom OIDC/Keycloak security manager, typically only triggers when the user explicitly hits the Superset logout endpoint. This endpoint is responsible for both clearing the Superset session and redirecting to the Keycloak logout endpoint, which ends the SSO session and can redirect back to a specified URL. If the Superset logout endpoint is not called, the Superset session cookie remains valid, so the user stays logged in even after the Keycloak session ends. This is by design in most OIDC integrations, including the documented approach for Superset with Keycloak and Flask-OIDC, where the logout method explicitly calls the Keycloak logout endpoint and then clears the local session ([reference](https://github.com/apache/superset/blob/20519158d2ab6325f7564b16615a99fe0ebe7a38/docs/docs/configuration/configuring-superset.mdx)). When embedding Superset in an iframe, browser cookie policies (such as `SameSite=Lax` or `SameSite=Strict`) can further complicate session management, as cross-origin requests may not always clear cookies as expected ([reference](https://github.com/apache/superset/blob/20519158d2ab6325f7564b16615a99fe0ebe7a38/superset/config.py)). This means that even if the Keycloak session is ended, the Superset session cookie may persist until the user logs out of Superset directly or the cookie expires. To achieve true SLO, you need to ensure that when the main application logs out, it also triggers the Superset logout endpoint for the user session in the iframe. This can be done by programmatically calling the Superset logout URL from the parent application (for example, by sending a message to the iframe to navigate to `/superset/logout/`), or by orchestrating logout flows so that all relevant applications' logout endpoints are called as part of the main app's logout process. The documented custom OIDC security manager for Superset expects this explicit logout call to properly clear both the Superset and Keycloak sessions ([reference](https://github.com/apache/superset/blob/20519158d2ab6325f7564b16615a99fe0ebe7a38/docs/docs/configuration/configuring-superset.mdx)). There are no built-in mechanisms in Superset to automatically detect an external Keycloak logout and clear the Superset session. This is a limitation of most web applications using OIDC/OAuth2, as session state is managed independently unless coordinated explicitly. In summary: to achieve SLO, ensure your main application triggers the Superset logout endpoint (e.g., `/superset/logout/`) in the iframe as part of its logout flow. Review your iframe and cookie settings to ensure cross-origin session clearing works as expected. If you need to customize the logout behavior further, you may need to extend your custom `OIDCSecurityManager` to better coordinate with your application's logout logic ([reference](https://github.com/apache/superset/blob/20519158d2ab6325f7564b16615a99fe0ebe7a38/docs/docs/configuration/configuring-superset.mdx)). <!-- Dosu Comment Footer --> *To reply, just mention my name [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/bf124f0a-83ab-422b-bc32-c592ceaf841f?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33685) GitHub link: https://github.com/apache/superset/discussions/33685#discussioncomment-13364013 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
