Airbnb: Superset with Google OAuth
Guide on how to set up Google Authentication in Superset because there is no good documentation and clear guideline on it.

We have been following Airbnb’s data exploration platform called Superset since they were called Caravel. It has a few simple but very powerful features. If you haven’t heard of them, please go check them out here. Superset is really powerful. Before you continue this post, I would recommend you to go through Superset official installation guide so that you will have the context.
While we were are setting up Superset for ShopBack, we needed 2 main customisation:
- PostgreSQL as backend database instead of built-in Sqlite.
- Google Authentication for our internal users.
1. PostgreSQL as backend database
This was supposed to be one line change job but we faced a few complications. For every customisation for Superset, we are supposed to create a file called superset_config.py and put it in PYTHONPATH. Please be aware that the file name has to be exactly ‘superset_config.py’!
To use PostgreSQL as backend database, you just need to change SQLALCHEMY_DATABASE_URI to your desired database. You can find necessary python packages and convention from Superset official guide. If you have done setting superset_config.py and PYTHONPATH properly, you should see following line when you run Superset:
Loaded your LOCAL configuration at [/PYTHONPATH/superset_config.py]It means your custom config file is read and your settings will be used for the Superset service.
2. Google Authentication
We believe that this is one of the most used and requested features. Surprisingly, there is no clear guideline or proper documentation on how to link Google Authentication on Superset. One of the comments made by a contributor is:
Because of his comment, I got a hint and I read the source codes from both Superset and flask_appbuilder repo. After reading source codes and experimenting for a few hours, I managed to set it up and followings are the steps. My superset_config.py is provided at the end of this post too.
- Change AUTH_TYPE to AUTH_OAUTH in superset_config.py. This is the entry point for the Security Manager to know what kind of authentication Superset will use.
- Another 2 important configurations are AUTH_USER_REGISTRATION and AUTH_USER_REGISTRATION_ROLE. The first config is whether to allow new users register themselves. Without this config set to TRUE, new users won’t be able to register then they cannot login .Second config is the default role for newly registered users. I set “True” for AUTH_USER_REGISTRATION and “Public” for AUTH_USER_REGISTRATION_ROLE.
- After we set up the AUTH_TYPE, we need to set the Providers.
OAUTH_PROVIDERS = [
{
‘name’: ‘google’,
‘whitelist’: [‘@company.com’],
‘icon’: ‘fa-google’,
’token_key’: ‘access_token’,
‘remote_app’: {
‘base_url’: ‘https://www.googleapis.com/oauth2/v2/',
‘request_token_params’: {
‘scope’: ‘email profile’
},
‘request_token_url’: None,
‘access_token_url’: ‘https://accounts.google.com/o/oauth2/token’,
‘authorize_url': ‘https://accounts.google.com/o/oauth2/auth',
‘consumer_key’: ‘GOOGLE_OAUTH_KEY’,
‘consumer_secret’: ‘GOOGLE_OAUTH_SECRET’
}
}
]There are a few things you will need to change in above section. Obviously, you need to replace GOOGLE_OAUTH_KEY and GOOGLE_OAUTH_SECRET with your own keys. Then, you also need to provide redirect_uri in Google Setting. (Just run the server and try to login. The error page from Google will show you how to correct it.)
Bonus: Whitelist
Another interesting thing I found out while reading source codes from flask_appbuilder is that we can provide whitelist . It is quite powerful because he used following line to check all the emails.
if re.search(e, userinfo['email']):
So, we can provide a list of whitelists in config to allow only emails with whitelisted domain or even only specific email addresses can login / register on Superset.
My full superset_config.py.
import os
from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
basedir = os.path.abspath(os.path.dirname(__file__))ROW_LIMIT = 5000
SUPERSET_WORKERS = 4SECRET_KEY = 'a long and random secret key'SQLALCHEMY_DATABASE_URI = ‘postgresql://username:pass@host:port/dbname’CSRF_ENABLED = TrueAUTH_TYPE = AUTH_OAUTHAUTH_USER_REGISTRATION = TrueAUTH_USER_REGISTRATION_ROLE = "Public"OAUTH_PROVIDERS = [
{
'name': 'google',
'whitelist': ['@company.com'],
'icon': 'fa-google',
'token_key': 'access_token',
'remote_app': {
'base_url': 'https://www.googleapis.com/oauth2/v2/',
'request_token_params': {
'scope': 'email profile'
},
'request_token_url': None,
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
'consumer_key': 'GOOGLE_AUTH_KEY',
'consumer_secret': 'GOOGLE_AUTH_SECRET'
}
}
]
Let me know if you have any questions or recommendations. If not, run your Superset and enjoy exploring the data!
