How to change the default jwt token algorithm of superset from HS256 to RS256?

[Charan-Kumar-Netala]

Hi Everyone,

continuing on the discussion, #29785

I too have successfully integrated Superset with AWS Cognito and I'm able to sign in the users that were created in Cognito.

I use the access token generated by Cognito for that user and pass it in the header of the request to generate a guest token. However, I was encountering an missing specific algo not allowed error since Cognito tokens are encrypted using RS256 tokens and Superset only accepts HS256.

To resolve this, I added the following line in the superset_config.py script:

JWT_DECODE_ALGORITHM=["RS256"]

For the requests made using postman, I too have got this error, 500 Internal Status Error?
How to configure PEM file in superset? Which PEM file to use?

{
    "errors": [
        {
            "message": "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming",
            "error_type": "GENERIC_BACKEND_ERROR",
            "level": "error",
            "extra": {
                "issue_codes": [
                    {
                        "code": 1011,
                        "message": "Issue 1011 - Superset encountered an unexpected error."
                    }
                ]
            }
        }
    ]
}

[dosubot[bot]]

Hey there, @Charan-Kumar-Netala! I'm a bot here to help you with any bugs, questions, or contributions you have regarding Apache Superset. Let's see if I can assist you with the JWT token algorithm and PEM file configuration.

To change the default JWT token algorithm in Superset from HS256 to RS256, you need to modify the superset_config.py file. Here are the steps:

1. Set the JWT Decode Algorithm:
   Add the following line to your superset_config.py file:

   JWT_DECODE_ALGORITHM = ["RS256"]

2. Set the Database OAuth2 JWT Algorithm:
   Also, add this line to the same file:

   DATABASE_OAUTH2_JWT_ALGORITHM = "RS256"

Regarding the 500 Internal Server Error related to the PEM file, this error typically indicates that the PEM file is malformed or improperly configured. To configure the PEM file in Superset, follow these steps:

1. Obtain the PEM File:
   Ensure you have the correct PEM file from your identity provider (e.g., AWS Cognito). This file should contain the public key used to verify the RS256 tokens.

2. Load the PEM File:
   Place the PEM file in a directory accessible by your Superset instance. You can then load it in your superset_config.py file by specifying the path to the PEM file.

3. Configure the PEM File Path:
   Add the following configuration to your superset_config.py file:

   OAUTH2_JWT_PUBLIC_KEY = open("/path/to/your/public_key.pem").read()

Make sure the path to the PEM file is correct and that the file is properly formatted. If you continue to encounter issues, refer to the cryptography documentation for more details on PEM file formatting and troubleshooting.

For further context, you might find these similar discussions helpful:

• Can we change the default algorithm of superset from HS256 to RS256? ^[1]
• Integration of AWS Cognito with Superset for OAuth Provider with RS256 Token Verification ^[2]
• superset keycloak integration, embedded dashboard no alg specified error ^[3]

To continue talking to Dosu, mention @dosu.

[Charan-Kumar-Netala]

@dosu,

I tried with OAUTH2_JWT_PUBLIC_KEY = open("/path/to/your/public_key.pem").read().
and also JWT_PUBLIC_KEY = open("/path/to/your/public_key.pem").read()
in superset_config.py.

I tried with changing in docker/superset-websocket/config.json too directly. But, it couldn't resolve the issue.

No, it still gives the same error

{
    "errors": [
        {
            "message": "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming",
            "error_type": "GENERIC_BACKEND_ERROR",
            "level": "error",
            "extra": {
                "issue_codes": [
                    {
                        "code": 1011,
                        "message": "Issue 1011 - Superset encountered an unexpected error."
                    }
                ]
            }
        }
    ]
}

Anyone, please help??

Thanks.

[dosubot[bot]]

To address the issue with loading the PEM file, ensure the PEM file is correctly formatted and accessible. Here are some steps to troubleshoot and resolve the issue:

1. Verify PEM File Format:
   Ensure the PEM file is correctly formatted. It should look something like this:

   -----BEGIN PUBLIC KEY-----
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
   -----END PUBLIC KEY-----
   

2. Check File Path:
   Make sure the file path specified in superset_config.py is correct and the file is accessible by the Superset process.

3. Set Configuration Keys:
   Use the correct configuration key for specifying the public key for JWT verification. Based on your attempts, it seems you tried OAUTH2_JWT_PUBLIC_KEY and JWT_PUBLIC_KEY. Ensure you are using the correct key as per Superset's documentation or configuration requirements.

4. Example Configuration:
   Here is an example of how to set the public key in superset_config.py:

   with open("/path/to/your/public_key.pem", "r") as f:
       OAUTH2_JWT_PUBLIC_KEY = f.read()

5. Validate the PEM File:
   Use Superset's built-in utilities to validate the PEM file. You can use the parse_ssl_cert function to ensure the certificate is valid:

   from superset.utils.core import parse_ssl_cert
   
   try:
       with open("/path/to/your/public_key.pem", "r") as f:
           public_key = f.read()
       parse_ssl_cert(public_key)
   except Exception as e:
       print(f"Invalid PEM file: {e}")

If the PEM file is still not loading correctly, double-check the file's content and format. If the issue persists, it might be helpful to refer to the cryptography documentation for more details on PEM file formatting and troubleshooting.

To continue talking to Dosu, mention @dosu.

[Charan-Kumar-Netala]

@dosu,

I have provided the public_key.pem from the cognito but it gives invalid PEM file. I tried generating the public_key but still it gives invalid PEM file.

So, the same issue persists, which is Unable to load PEM file.

How to resolve this issue?

[dosubot[bot]]

To resolve the issue with the PEM file, follow these steps to ensure the file is correctly formatted and validated:

1. Verify PEM File Format:
   Ensure the PEM file is correctly formatted. It should look like this:

   -----BEGIN PUBLIC KEY-----
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
   -----END PUBLIC KEY-----
   

2. Check File Path and Permissions:
   Make sure the file path specified in superset_config.py is correct and the file is accessible by the Superset process. Ensure the file has the correct read permissions.

3. Set Configuration Keys:
   Use the correct configuration key for specifying the public key for JWT verification. Here is an example of how to set the public key in superset_config.py:

   with open("/path/to/your/public_key.pem", "r") as f:
       OAUTH2_JWT_PUBLIC_KEY = f.read()

4. Validate the PEM File:
   Use Superset's built-in utilities to validate the PEM file. You can use the parse_ssl_cert function to ensure the certificate is valid:

   from superset.utils.core import parse_ssl_cert
   
   try:
       with open("/path/to/your/public_key.pem", "r") as f:
           public_key = f.read()
       parse_ssl_cert(public_key)
   except Exception as e:
       print(f"Invalid PEM file: {e}")

5. Common Pitfalls:

   • Ensure there are no extra spaces or newlines in the PEM file.
   • Verify that the PEM file is not corrupted or incomplete.

If the PEM file is still not loading correctly, double-check the file's content and format. If the issue persists, refer to the cryptography documentation for more details on PEM file formatting and troubleshooting.

Superset uses the parse_ssl_cert function to validate the format and content of a PEM file, ensuring it is a valid certificate ^[1][2].

To continue talking to Dosu, mention @dosu.