When requesting a Guest Token API, error code 422 is reported

[EMMMLZZ]

Bug description

I started the superset4.0 service locally. A third-party application was also written to work with embedded dashboards by using @superset-ui/embedded-sdk.

However, upon requesting /api/v1/security/guest_token/, a 422 status code was received with the following error message:

{ "msg": "Invalid header string: Expecting value: line 1 column 1 (char 0)" }

By investigating the code, I discovered that commenting out the @protect() annotation on the guest_token method in security/api.py allows for successfully receiving the GuestToken from the API. However, this is not the desired solution. I am eagerly seeking someone who can provide an explanation for the cause of this issue and offer a proper resolution.

How to reproduce the bug

My congfig.py configuration is as follows:

GUEST_ROLE_NAME = "Embedded_Role" PUBLIC_ROLE_LIKE_GAMMA = True GUEST_TOKEN_JWT_SECRET = "test-guest-secret-change-me" GUEST_TOKEN_JWT_ALGO = "HS256" GUEST_TOKEN_HEADER_NAME = "X-GuestToken" GUEST_TOKEN_JWT_EXP_SECONDS = 300 # 5 minutes

Guest token audience for the embedded superset, either string or callable

GUEST_TOKEN_JWT_AUDIENCE: Callable[[], str] | str | None = None

ENABLE_CORS = True CORS_OPTIONS: dict[Any, Any] = { 'supports_credentials': True, 'allow_headers': [''], 'resources': [''], # 'origins': ['*'] 'origins': ['http://localhost:8088', 'http://localhost:8000'] }

HTTP_HEADERS: dict[str, Any] = {"X-Frame-Options": "ALLOWALL"}

The Embedded_Role permissions are as follows: I created an Embedded_Role by copying the Gamma role and added the "can grant guest token on SecurityRestApi" permission to it.

The code for the third-party application that I have written is as follows:

I would like someone who has shared experiences to join me in discussing this issue.

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.10

Node version

18 or greater

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

The error code 422 with the message "Invalid header string: Expecting value: line 1 column 1 (char 0)" when requesting a Guest Token via /api/v1/security/guest_token/ in Superset 4.0.1 typically indicates a problem with the JSON payload or headers of your request. Here's how to address this issue:

1. Ensure Correct Content-Type: Your request must include the header Content-Type: application/json to inform the server that you are sending a JSON payload.

2. Validate JSON Payload: The body of your POST request needs to be a valid JSON string. According to the GuestTokenCreateSchema, it should include user, resources, and rls fields. Here's an example of a well-formed JSON payload:

{
  "user": {
    "username": "guest_user",
    "first_name": "Guest",
    "last_name": "User"
  },
  "resources": [
    {
      "type": "dashboard",
      "id": "1"
    }
  ],
  "rls": [
    {
      "dataset": 123,
      "clause": "region='US'"
    }
  ]
}

3. Match Schema Requirements: Double-check that your JSON payload strictly adheres to the required schema, including all necessary fields and structure.

If you've verified the headers and payload are correct but still face issues, it might be helpful to look into the server logs for more detailed error messages. This could provide further insights into whether there's a configuration issue or a problem with the @protect() mechanism itself.

Details

Sources

• superset/security/api.py
• superset/security/guest_token.py
• tests/integration_tests/security/api_tests.py
• superset/security/manager.py
• superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
• superset/initialization/init.py
• tests/integration_tests/security_tests.py
• superset/exceptions.py
• superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
• superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts

About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

[rsaleev]

With Keycloak as OAuth provider 422 status returned with message

{
	"msg": "The specified alg value is not allowed"
}

Nothing in logs about it. Is it security manager issue or /guest_token endpoint?

[temuujinmo4]

Response Msg : Subject must be string

Response code: 422

How i do ?

{
  "user": {
    "username": "user",
    "first_name": "user",
    "last_name": "user"
  },
  "resources": [
    {
      "type": "dashboard",
      "id": "my-id"
    }
  ],
  "rls": []
}

or

{
  "user": {
    "username": "user",
    "first_name": "user",
    "last_name": "user"
  },
  "resources": [
    {
      "type": "dashboard",
      "id": "my-id"
    }
  ],
  "rls": [],
  "subject": "Dashboard"
}

but not working