Superset 6: Bypass Login page of superset No Longer Working (Worked in v5)

[user1500177]

Hi Superset team,

After upgrading from Superset 5 to Superset 6, we’ve encountered an issues that used to work previously (in version 5):

1. Bypass Login via Custom OAuth View

In Superset 5, we used a custom AuthOAuthView to bypass the login page if the user was already authenticated with our OAuth provider. Our code looked like this (Was inspired from dpgaspar/Flask-AppBuilder#2225 (comment)):

      class CustomSsoAuthOAuthView(AuthOAuthView):
          @expose("/login/")
          @expose("/login/<provider>")
          def login(self, provider: Optional[str] = None) -> WerkzeugResponse:
              if provider is None:
                  providers = [k for k in self.appbuilder.sm.oauth_remotes.keys()]
                  if len(providers) == 1:
                      provider = providers[0]
              return super().login(provider)

This allowed users to be logged in automatically (Without seeing the LOGIN page of the superset) if they were already authenticated with the OAuth provider (ie ; bypassing the login page of superset) , if thy were not authenticated with the Oauth provider then they would have seen or encoutered the OAuth providers sign in page - THIS APPROACH WAS 100% working in superset version 5]

After upgrading to Superset 6, this no longer works—users are always redirected to the login page, even if they are already authenticated.

Is this related to the upgrade to Flask-AppBuilder 5.0.0 or any other breaking change in Superset 6?

Is there a new recommended way to implement this bypass login behavior in version 6- so that only the OAUTH login page has to be seen by the user (if he or she is not signed in OAUTH provider).

Refer image for the page that i used to avoid

[dosubot[bot]]

This change is due to breaking changes in Superset 6 and the Flask-AppBuilder 5.0.0 upgrade, which altered how authentication views are registered and handled. Superset 6 now uses its own SupersetAuthView for login, and custom OAuth bypass logic must be integrated differently than in v5. There’s no config-only way to restore the old behavior—you need backend code changes¹².

The recommended approach is to create a custom authentication view (subclassing AuthOAuthView or SupersetAuthView) that checks if the user is already authenticated with your OAuth provider and, if so, logs them in and redirects to the index page. If not, it should proceed with the standard OAuth flow. You then register this view via a custom security manager using the CUSTOM_SECURITY_MANAGER config in superset_config.py³⁴.

Here’s a simplified example pattern:

from flask_appbuilder.security.views import AuthOAuthView, expose
from flask_login import login_user
from flask import redirect, request, g
from superset.security import SupersetSecurityManager

class CustomSsoAuthOAuthView(AuthOAuthView):
    @expose("/login/")
    @expose("/login/<provider>")
    def login(self, provider: str = None):
        if g.user is not None and g.user.is_authenticated:
            return redirect(self.appbuilder.get_url_for_index)
        # Insert your logic here to check for OAuth session/cookie/token
        # If already authenticated with OAuth provider, log in and redirect
        # Otherwise, proceed with normal OAuth login
        return super().login(provider)

class CustomSecurityManager(SupersetSecurityManager):
    authoauthview = CustomSsoAuthOAuthView

# In superset_config.py
CUSTOM_SECURITY_MANAGER = CustomSecurityManager

You can adapt the logic inside login() to check for your specific OAuth session or token and perform the login programmatically. This lets you bypass the Superset login page for already-authenticated users, while still showing the OAuth login button for others⁴⁵.

Be sure to validate any tokens/headers you use for bypass and ensure robust session management for security⁴.

References and more patterns:

• Superset v6 custom login/redirect logic
• Custom OAuth view and security manager example
• Superset 6 authentication view code

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

Footnotes

1. https://github.com/apache/superset/discussions/36925 ↩

2. https://github.com/apache/superset/issues/36549 ↩

3. https://github.com/apache/superset/discussions/32424 ↩

4. https://github.com/apache/superset/discussions/34532 ↩ ↩² ↩³

5. https://github.com/apache/superset/discussions/36203 ↩

[dosubot[bot]]

This can't be done with configuration alone in superset_config.py—Superset 6 does not provide a built-in option to always redirect users directly to your OAuth provider’s login screen and bypass the Superset login UI, even if you have only one OAuth provider configured. Achieving this requires backend code changes, such as subclassing the authentication view or customizing the security manager, then registering it via CUSTOM_SECURITY_MANAGER in superset_config.py. For reference, see this discussion.

The recommended approach is to create a custom authentication view that detects when only one OAuth provider is configured and automatically redirects users to its login flow, then set up a custom security manager to use this view. Here’s a minimal example pattern:

from flask_appbuilder.security.views import AuthOAuthView, expose
from superset.security import SupersetSecurityManager

class CustomSsoAuthOAuthView(AuthOAuthView):
    @expose("/login/")
    def login(self):
        # Automatically redirect to the OAuth provider if only one is configured
        providers = list(self.appbuilder.sm.oauth_remotes.keys())
        if len(providers) == 1:
            return super().login(providers[0])
        return super().login()

class CustomSecurityManager(SupersetSecurityManager):
    authoauthview = CustomSsoAuthOAuthView

# In superset_config.py
CUSTOM_SECURITY_MANAGER = CustomSecurityManager

This logic must be implemented in Python code, not just in superset_config.py. For more details and patterns, see the docs and related discussions.

If you need to fully remove the Superset login UI and always redirect, you may need to further customize the authentication view or use Flask hooks, but this always involves backend code changes, not just configuration.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[user1500177]

@dosu ,

Why i am not able to do this in version 6 , what changed WHY its not applicable from within the usperset_config.py

I found another method which is ppossible from the superset config.py that is by running an interceptor logic - Is it recommended to do so ?

        @app.before_request
        def auto_sso_redirect():
            """
            Auto-redirect to OAuth provider when:
            1. Path is /login or /login/
            2. Referer is from a specific portal (customize this check as needed)
            3. Exactly one OAuth provider is configured
            """
            try:
                path = request.path or ""
                # Only intercept bare /login requests (not /login/<provider>)
                if path in ("/login", "/login/"):
                    # Skip if already authenticated
                    if g.user and hasattr(g.user, 'is_authenticated') and g.user.is_authenticated:
                        return None
        
                    referer = request.headers.get("Referer", "")
                    # Replace this with your own logic to check the referer as a decider to check wheter we need to see the Supersets login page or not..., if i am from a particular site only i need this to happen 
                    is_from_portal = "your-domain-from which you are arriving to superset" in referer
        
                    if is_from_portal:
                        providers = list(appbuilder.sm.oauth_remotes.keys())
                        if len(providers) == 1:
                            provider = providers[0]
                            # Preserve 'next' parameter if present
                            next_url = request.args.get("next", "")
                            redirect_url = f"/login/{provider}"
                            if next_url:
                                redirect_url += f"?next={quote(next_url, safe='')}"
                            return redirect(redirect_url)
            except Exception as e:
                logging.warning(f"[auto_sso_redirect] Error: {e}", exc_info=True)
            return None

Is the above apprahc reccomended ?

OR is the below apprach better THAT used to work in superset version 5 AND not in version 6 (Which is why i had to try alternatives) inspired by dpgaspar/Flask-AppBuilder#2225 (comment) ,

class CustomSsoAuthOAuthView(AuthOAuthView):
@expose("/login/")
@expose("/login/")
def login(self, provider: Optional[str] = None) -> WerkzeugResponse:
if provider is None:
providers = [k for k in self.appbuilder.sm.oauth_remotes.keys()]
if len(providers) == 1:
provider = providers[0]
return super().login(provider)

After this i used to do 
class CustomSsoSecurityManager(SupersetSecurityManager):
    useroauthmodelview = MyUserOAuthModelView
    
 But its not working in version 6 , COULD you provide the detailed exaplanation for this 
 
 
 AND also if there are any alternative methods WHICH is scalable and acheivable WITHIN the superset_config.py please OR my proposed method is GOOD enough?- with the (@app.before_request)

[dosubot[bot]]

Superset 6 changed how authentication works: the login and user info pages are now React components, and the backend registers a new SupersetAuthView for login instead of the Flask-AppBuilder AuthOAuthView. This means subclassing AuthOAuthView and customizing the login flow (as in v5) no longer affects what users see or how login is handled—the React frontend and new backend view take over, and these are wired up internally in the Superset code, not via configuration or the security manager. So, you can't achieve the old bypass behavior just by customizing superset_config.py or swapping out views in the security manager anymore. This is a deliberate architectural change to decouple the UI from backend Python code and make the UI more modern and consistent, but it removed the previous extension points for login flow customization [source].

The @app.before_request interceptor you found is a possible workaround. It can sometimes be used to intercept /login requests and redirect to your OAuth provider, but it's not officially documented or recommended by Superset maintainers. It may work for simple cases, but it has risks: it can break if Superset changes its routing, may not play well with all authentication flows, and can be hard to maintain or debug in larger deployments. It's not a scalable or robust solution for production, especially as Superset continues to evolve [source].

There is currently no supported, scalable way to fully bypass the Superset login UI and always redirect to your OAuth provider purely within superset_config.py in Superset 6. The only robust way is to implement backend code changes—such as a custom authentication view or security manager, or by overriding how Superset registers its login view. If you need a maintainable and future-proof solution, backend customization is the way to go [source].

If you use the @app.before_request workaround, do so with caution: test thoroughly, document the hack for your team, and be prepared to revisit it after future Superset upgrades. For long-term maintainability, consider tracking Superset's roadmap for any new plugin or extension points for authentication flows.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[user1500177]

@dosu then what is the use of SSO features , if i am logged in via an oauthprovider already , there shouldnt be a Seprate login screen from FAB or Superset popping up to me right , as i am already having a session with the OAuth provider - i should be able to access it directly when i just have a single Oauthprovider configre atleast

Could you Provide me the code if it is doable while Configuring the Superset using the superset_config.py please (the is the confguration of the Oauth provider and wit hthe SSO and the SLO enabled)

[dosubot[bot]]

SSO in Superset 6 lets users authenticate with an external OAuth provider (like Okta, Azure AD, Keycloak, etc.) and access Superset without creating a separate password. If the user already has a session with the OAuth provider, Superset will not prompt for credentials again—when they click the "Sign in with {provider}" button, they're logged in automatically. However, Superset 6 always shows the login page with the OAuth button; it does not natively auto-redirect to the provider or fully hide the login UI with configuration alone. This is due to architectural changes: the login UI is now a React frontend, and the backend authentication flow is decoupled from Flask-AppBuilder's view registration, so you can't override this with just superset_config.py settings or a custom security manager—backend code changes are required for full bypass behavior¹²³.

You can configure SSO (and partial SLO) in superset_config.py like this:

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
    {
        'name': 'myoauth',
        'token_key': 'access_token',
        'icon': 'fa-address-card',
        'remote_app': {
            'client_id': 'your-client-id',
            'client_secret': 'your-client-secret',
            'client_kwargs': {'scope': 'openid email profile'},
            'api_base_url': 'https://your-oauth-server/',
            'access_token_url': 'https://your-oauth-server/token',
            'authorize_url': 'https://your-oauth-server/authorize',
            'jwks_uri': 'https://your-oauth-server/.well-known/jwks.json',
            # 'server_metadata_url': 'https://your-oauth-server/.well-known/openid-configuration', # for OIDC
        }
    }
]
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
ENABLE_PROXY_FIX = True  # If behind a proxy/load balancer

For advanced SSO (custom user info, group mapping, etc.), create a custom security manager:

from superset.security import SupersetSecurityManager

class CustomSsoSecurityManager(SupersetSecurityManager):
    def oauth_user_info(self, provider, response=None):
        if provider == 'myoauth':
            me = self.appbuilder.sm.oauth_remotes[provider].get('userinfo').json()
            return {
                'name': me['name'],
                'email': me['email'],
                'username': me['preferred_username'],
                'first_name': me.get('given_name', ''),
                'last_name': me.get('family_name', ''),
            }
        return super().oauth_user_info(provider, response)

CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

For SLO (Single Logout), you need to implement a custom logout handler in a custom security manager or authentication view, which is not possible with configuration alone. You'd typically redirect to your IdP's logout endpoint and clear the session—see this example for Keycloak.

Bottom line: seamless SSO (no login screen at all) and robust SLO require backend code changes, not just superset_config.py. With only configuration, users will see the Superset login page with a single OAuth button, and if already authenticated with your provider, clicking it will log them in without a password prompt¹²³⁴.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

Footnotes

1. https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/configuring-superset.mdx#L257-L531 ↩ ↩²

2. https://github.com/apache/superset/discussions/32424#discussioncomment-12349960 ↩ ↩²

3. https://github.com/apache/superset/discussions/34532 ↩ ↩²

4. https://github.com/apache/superset/discussions/36203#discussioncomment-15024802 ↩

[rsaleev]

Hi Superset team,

After upgrading from Superset 5 to Superset 6, we’ve encountered an issues that used to work previously (in version 5):

1. Bypass Login via Custom OAuth View

In Superset 5, we used a custom AuthOAuthView to bypass the login page if the user was already authenticated with our OAuth provider. Our code looked like this (Was inspired from dpgaspar/Flask-AppBuilder#2225 (comment)):

      class CustomSsoAuthOAuthView(AuthOAuthView):
          @expose("/login/")
          @expose("/login/<provider>")
          def login(self, provider: Optional[str] = None) -> WerkzeugResponse:
              if provider is None:
                  providers = [k for k in self.appbuilder.sm.oauth_remotes.keys()]
                  if len(providers) == 1:
                      provider = providers[0]
              return super().login(provider)

This allowed users to be logged in automatically (Without seeing the LOGIN page of the superset) if they were already authenticated with the OAuth provider (ie ; bypassing the login page of superset) , if thy were not authenticated with the Oauth provider then they would have seen or encoutered the OAuth providers sign in page - THIS APPROACH WAS 100% working in superset version 5]

After upgrading to Superset 6, this no longer works—users are always redirected to the login page, even if they are already authenticated.

Is this related to the upgrade to Flask-AppBuilder 5.0.0 or any other breaking change in Superset 6?

Is there a new recommended way to implement this bypass login behavior in version 6- so that only the OAUTH login page has to be seen by the user (if he or she is not signed in OAUTH provider).

Refer image for the page that i used to avoid

#37394 try FLASK_APP_MUTATOR, but I didn't test it for production. Could you share your feedback in this discussion after?