GitHub user dosubot[bot] added a comment to the discussion: ### Bug: SSO Logout
Not Working with Keycloak + Iframe Embedded Superset
<!-- Answer -->
To ensure users are logged out of both your main application and Superset, you
need to trigger the Superset logout endpoint as part of your logout flow. Since
Superset is embedded in an iframe, you can do this by sending a message to the
iframe to navigate to the Superset logout URL before redirecting to the
Keycloak logout.
Here’s a practical approach:
1. In your main app, send a message to the Superset iframe to trigger logout.
2. In the Superset iframe, listen for that message and navigate to
`/superset/logout/`.
3. After a short delay (to allow the Superset session to clear), redirect the
main window to the Keycloak logout URL.
Example for your main app (assuming the iframe has `id="superset-iframe"`):
```js
const logout = async (): Promise<void> => {
// Send a logout message to the Superset iframe
const supersetIframe = document.getElementById('superset-iframe');
if (supersetIframe) {
supersetIframe.contentWindow.postMessage({ type: 'LOGOUT_SUPERSET' },
'https://superset.dalweb');
}
// Wait a moment to let Superset process logout
setTimeout(() => {
window.location.href =
`${process.env.NEXT_PUBLIC_KEYCLOAK_URL}realms/${process.env.NEXT_PUBLIC_KEYCLOAK_REALM}/protocol/openid-connect/logout`;
}, 1000); // Adjust delay as needed
};
```
In your Superset iframe (for example, in a small script injected into your
Superset embedding page):
```js
window.addEventListener('message', (event) => {
if (
event.origin === 'https://dalweb' && // your main app's origin
event.data &&
event.data.type === 'LOGOUT_SUPERSET'
) {
window.location.href = '/superset/logout/';
}
});
```
**Important notes:**
- The Superset logout URL is `/superset/logout/` (adjust if your reverse proxy
path differs).
- No credentials or body are needed; the logout is handled via the session
cookie.
- By default, Superset sets `X-Frame-Options: SAMEORIGIN` via Flask-Talisman,
which may block the logout page from loading in an iframe if origins differ. If
you encounter issues, you may need to adjust Superset’s security headers, but
this can reduce security and is not generally recommended. See [Superset's use
of Talisman and
headers](https://github.com/apache/superset/blob/20519158d2ab6325f7564b16615a99fe0ebe7a38/superset/initialization/__init__.py).
- If you control both applications and they share the same origin, this
approach will work smoothly. For cross-origin, browser security policies may
require additional configuration.
This approach ensures both sessions are cleared for a true Single Logout
experience.
<!-- Dosu Comment Footer -->
*To reply, just mention my name [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/bd8dc020-dc6b-4229-8f80-46bf9ba895d5?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33685)
GitHub link:
https://github.com/apache/superset/discussions/33685#discussioncomment-13364954
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
