Re: [D] More convenient oauth2 database flow [superset]

Thu, 05 Mar 2026 09:49:03 -0800 


GitHub user aurokk edited a discussion: More convenient oauth2 database flow

Hi!
Currently it is possible to configure oauth2 to login to superset and it is 
possible configure oauth to login to database.
It looks like this:
<details><summary>Superset oauth config </summary>
```
OAUTH_PROVIDERS = [
        {
            "name": ...,
            "icon": "fa-google",
            "token_key":  ...,
            "remote_app": {
                "client_id": ...,
                "client_secret": ...,
                "client_kwargs": {"scope": ...,},
                "api_base_url": ...,
                "server_metadata_url": ...,
            },
        }
]
```
</details>
<details><summary>Database oauth config</summary>
```
DATABASE_OAUTH2_REDIRECT_URI = ...,
DATABASE_OAUTH2_CLIENTS = {
      "Trino": {
        "id": ...,
        "secret": ...,
        "scope": ...,
        "redirect_uri": ...,
        "authorization_request_uri": ...,
        "token_request_uri": ...,
      }
}
```
</details>

In my case I have many databases connected to "Trino" and available in superset 
and currently users have to login to each database despite the fact it is the 
same "Trino" instance.

SO the problem — users have to login to superset, then have to login to each of 
the databases connected to superset, it is really annoying.

What i want to have instead:
1. I'm able to ask for multiple scopes — (OAUTH_PROVIDERS. 
remote_app.client_kwargs.scope) — so I'll ask for scopes "superset" and "trino" 
(and any other databases scopes needed)
2. (this is what i want to change) I want to send upstream oauth access token 
to trino, because it already has scope "trino" (or other scopes needed by 
database) — this way users don't need to login multiple times, for users it is 
enough to login to "superset" using oauth with scopes needed for databases to 
start working

I thing about adding some settings to OAUTH_PROVIDERS, to save upstream tokens 
(or save them unconditionally) and setting list of databases to send upstream 
token to.

What do you think about this? I'm ready to contribute.





GitHub link: https://github.com/apache/superset/discussions/38450

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to