Full proxy control over flask app builder (and thus apache superset) authentication

fab_remote_user.py

from flask import Blueprint, redirect
from flask_login import current_user, logout_user

from flask_appbuilder.security.manager import AUTH_OAUTH, AUTH_REMOTE_USER

my_blueprint = Blueprint("My Blueprint", __name__)

@my_blueprint.before_app_request
def ensure_logout_correctness():
    """Ensure users are logged out when the proxy logs out
    """
    remote_user = request.environ["REMOTE_USER"]
    if (
        current_user
        and hasattr(current_user, "username")
        and current_user.username != remote_user
    ):
        logout_user()
        return redirect("/login")

class RemoteUserMiddleware(object):
    def __init__(self, app):
        self.app = app

    def __call__(self, environ, start_response):
        remote_username = environ.pop("HTTP_X_USER_ID", None)
        environ["REMOTE_USER"] = remote_username
        return self.app(environ, start_response)


ADDITIONAL_MIDDLEWARE = [RemoteUserMiddleware]
AUTH_TYPE = AUTH_REMOTE_USER
BLUEPRINTS = [my_blueprint]

Now you just set your header in the proxying app, for example in node:

const proxy = require('http-proxy-middleware');
// ...
app.use(
  superset_routes,
  proxy({
    target: 'http://superset:8088',
    onProxyReq(proxyReq, req, res) {
      // we user superset's AUTH_REMOTE_USER to do seamless authentication,
      // and create users in superset on first signup so that user info is carried over
      proxyReq.setHeader('HTTP_X_USER_ID', req.user ? req.user.id : null);
    }
  })
);

If you only set HTTP_X_USER_ID / REMOTE_USER, all fields in superset registration will be filled with that value.