Skip to content

fix: oauth2 trino#31993

Merged
rusackas merged 1 commit intoapache:masterfrom
aurokk:kochnev/fix-oauth-trino
Feb 20, 2025
Merged

fix: oauth2 trino#31993
rusackas merged 1 commit intoapache:masterfrom
aurokk:kochnev/fix-oauth-trino

Conversation

@aurokk
Copy link
Contributor

@aurokk aurokk commented Jan 27, 2025
edited
Loading

fix(trino): compare only error code for oauth2 auth

SUMMARY

I guess this message "invalid credentials" is specific for google oauth2 server (or the one that was used to develop the feature), there is a (link) I found that makes me think so. With the change applied it started to work good with identity server 4, and I guess this comparison makes it impossible for people to use oauth2 right now, for example here.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

This is how it looks with the change applied.
Screenshot 2025-01-27 at 05 43 52

TESTING INSTRUCTIONS

There is an example of how I configured oauth2 for trino.
P.S.: I didn't copy other configuration except for the part need to make oauth work.

configOverrides:
  enable_oauth: |
    DATABASE_OAUTH2_REDIRECT_URI = "https://{hostname}/api/v1/database/oauth2/"
    DATABASE_OAUTH2_CLIENTS = {
      "Trino": {
        "id": "trino",
        "secret": os.getenv("SUPERSET_OAUTH_CLIENT_SECRET"),
        "scope": "openid email profile offline_access trino",
        "redirect_uri": "https://{hostname}/api/v1/database/oauth2/",
        "authorization_request_uri": "https://{hostname}/connect/authorize",
        "token_request_uri": "https://{hostname}/connect/token"
      }
    }

ADDITIONAL INFORMATION

@dosubot dosubot bot added authentication:sso Single Sign On data:connect:trino Related to Trino labels Jan 27, 2025
korbit-ai[bot]
korbit-ai bot reviewed Jan 27, 2025
View reviewed changes
Copy link

@korbit-ai korbit-ai bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by Korbit AI

Korbit automatically attempts to detect when you fix issues in new commits.
Category Issue Fix Detected
Security Weak Authentication Error Detection ▹ view
Files scanned
File Path Reviewed
superset/db_engine_specs/trino.py

Explore our documentation to understand the languages and file types we support and the files we ignore.

Need a new review? Comment /korbit-review on this PR and I'll review your latest changes.

Korbit Guide: Usage and Customization

Interacting with Korbit

  • You can manually ask Korbit to review your PR using the /korbit-review command in a comment at the root of your PR.
  • You can ask Korbit to generate a new PR description using the /korbit-generate-pr-description command in any comment on your PR.
  • Too many Korbit comments? I can resolve all my comment threads if you use the /korbit-resolve command in any comment on your PR.
  • Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
  • Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.

Customizing Korbit

  • Check out our docs on how you can make Korbit work best for you and your team.
  • Customize Korbit for your organization through the Korbit Console.

Current Korbit Configuration

General Settings
Setting Value
Review Schedule Automatic excluding drafts
Max Issue Count 10
Automatic PR Descriptions
Issue Categories
Category Enabled
Naming
Database Operations
Documentation
Logging
Error Handling
Systems and Environment
Objects and Data Structures
Readability and Maintainability
Asynchronous Processing
Design Patterns
Third-Party Libraries
Performance
Security
Functionality

Feedback and Support

Note

Korbit Pro is free for open source projects 🎉

Looking to add Korbit to your team? Get started with a free 2 week trial here

superset/db_engine_specs/trino.py
return isinstance(
instance, HttpError
) and "error 401: b'Invalid credentials'" in str(instance)
return isinstance(instance, HttpError) and "error 401" in str(instance)
Copy link

@korbit-ai korbit-ai bot Jan 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weak Authentication Error Detection category Security

Tell me more
What is the issue?

The authentication error check is overly permissive by only checking for 'error 401' in the error message.

Why this matters

This loose string matching could lead to false positives in authentication error detection, potentially causing security misclassifications that affect the authentication flow.

Suggested change ∙ Feature Preview
return isinstance(instance, HttpError) and "error 401: b'Invalid credentials'" in str(instance)

💡 Does this comment miss the mark? Tell us why and Korbit will adapt to your team’s feedback.
💬 Chat with Korbit by mentioning @korbit-ai.

Copy link
Contributor Author

@aurokk aurokk Jan 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is overly specific & restrictive. Check for 401 is enough i guess.

github-actions[bot]
github-actions bot reviewed Jan 27, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congrats on making your first PR and thank you for contributing to Superset! 🎉 ❤️

We hope to see you in our Slack community too! Not signed up? Use our Slack App to self-register.

@rusackas rusackas requested review from nytai and villebro January 27, 2025 23:55
@codecov
Copy link

codecov bot commented Jan 27, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 83.35%. Comparing base (76d897e) to head (62d9414).
⚠️ Report is 2203 commits behind head on master.

Files with missing lines Patch % Lines
superset/db_engine_specs/trino.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #31993       +/-   ##
===========================================
+ Coverage   60.48%   83.35%   +22.86%     
===========================================
  Files        1931      544     -1387     
  Lines       76236    38983    -37253     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    32494    -13620     
+ Misses      28017     6489    -21528     
+ Partials     2105        0     -2105
Flag Coverage Δ
hive 48.26% <0.00%> (-0.89%) ⬇️
javascript ?
mysql 74.71% <0.00%> (?)
postgres 74.73% <0.00%> (?)
presto 51.87% <0.00%> (-1.94%) ⬇️
python 83.25% <0.00%> (+19.74%) ⬆️
sqlite 74.16% <0.00%> (?)
unit 60.76% <0.00%> (+3.13%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rusackas rusackas changed the title fix oauth2 trino fix: oauth2 trino Jan 28, 2025
@aurokk
Copy link
Contributor Author

aurokk commented Feb 20, 2025

@betodealmeida @nytai, hello! what do you think about the change? i don't really think we need to check anything except for the status code to make it work correctly. i can do some changes if needed, lets discuss it.

betodealmeida
betodealmeida approved these changes Feb 20, 2025
View reviewed changes
Copy link
Member

@betodealmeida betodealmeida left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, and it makes sense to be more lenient. Thanks for the PR!

@rusackas rusackas merged commit 7ce1a34 into apache:master Feb 20, 2025
53 of 61 checks passed
@michael-s-molina michael-s-molina added the v5.0 Label added by the release manager to track PRs to be included in the 5.0 branch label Feb 21, 2025
michael-s-molina pushed a commit that referenced this pull request Feb 21, 2025
@aurokk @michael-s-molina
fix: oauth2 trino (#31993)
e8246ea 
(cherry picked from commit 7ce1a34)
sadpandajoe pushed a commit to preset-io/superset that referenced this pull request Mar 21, 2025
@aurokk @sadpandajoe
fix: oauth2 trino (apache#31993)
3f2cc88 
(cherry picked from commit 7ce1a34)
@mistercrunch mistercrunch added 🍒 5.0.0 Cherry-picked to 5.0.0 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels labels Jul 29, 2025
@silveira-js silveira-js mentioned this pull request Jan 7, 2026
Merged
9 tasks
This was referenced Jan 15, 2026
Merged
Merged
@silveira-js silveira-js mentioned this pull request Jan 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@betodealmeida betodealmeida betodealmeida approved these changes

@villebro villebro Awaiting requested review from villebro

@nytai nytai Awaiting requested review from nytai

+1 more reviewer

@korbit-ai korbit-ai[bot] korbit-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

authentication:sso Single Sign On 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels data:connect:trino Related to Trino size/XS v5.0 Label added by the release manager to track PRs to be included in the 5.0 branch 🍒 5.0.0 Cherry-picked to 5.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@aurokk @betodealmeida @mistercrunch @rusackas @michael-s-molina