Mixing Jmix Superset add-on embedded dashboards (guest token) with full Superset UI iframe (SSO) causes redirect to login

[dotdot1z23]

Hi everyone 👋

I’m working on an integration between Apache Superset and a Jmix application using the official Jmix Superset add-on. My goal is to provide two different navigation options inside the Jmix UI:

• Nav A: Embedded dashboard (guest token)

  • Implemented using the Jmix Superset add-on (<superset:dashboard embeddedId="..."/>).
  • This works fine: Jmix backend requests a guest token, passes it to the component, and the dashboard is displayed correctly.

• Nav B: Full Superset UI (Keycloak SSO)

  • Implemented as an iframe that loads the full Superset UI (/superset/...).
  • Superset is configured with Keycloak OAuth as the authentication provider.
  • When I log in inside this iframe, the full UI works fine (home page, dashboards list, etc.).

The problem

• If I first log in to the full UI iframe (Nav B) → everything works.
• Then I switch to an embedded dashboard (Nav A) → it loads correctly with guest token.
• But when I switch back to the full UI iframe (Nav B), Superset has lost the SSO session and redirects me to /login again.

So it looks like navigating through the guest token flow somehow breaks or clears the Keycloak SSO session for the iframe.

What I’ve tried

• Followed Jmix documentation:

  • FEATURE_FLAGS = {"EMBEDDED_SUPERSET": True}
  • GUEST_ROLE_NAME = 'Gamma'
  • Configured TALISMAN_CONFIG with frame-ancestors to allow embedding from Jmix.

• Configured cookies:

  • SESSION_COOKIE_SAMESITE = "None"
  • SESSION_COOKIE_SECURE = True (in HTTPS).

• Verified:

  • Embedded dashboards load fine via guest token.
  • Full Superset UI works fine with Keycloak when accessed directly.

• But switching Nav A → Nav B consistently causes the full UI iframe to lose its session.

My understanding

• The Jmix Superset add-on uses guest token flow which creates an anonymous Superset session (Gamma role).
• The full UI iframe uses Keycloak SSO session cookies.
• These two authentication flows are independent, and switching between them seems to reset the Superset session state.

My questions 🙏

1. Is it expected that guest token embedding and Keycloak SSO sessions cannot coexist in the same browser session?
2. Has anyone managed to combine both flows (embedded dashboards via guest token and full Superset UI via OAuth SSO) without breaking the SSO session?
3. Would the recommended approach be to choose one flow (guest tokens or OAuth) instead of mixing both?
4. Are there any workarounds, e.g. reverse proxy with shared domain, cookie isolation, or preventing the guest token flow from overriding the SSO session?

Environment

• Superset version: 4.0.1
• Jmix version: 2.6.1
• Keycloak version: 26.3.2

Thanks a lot for your help! 🙏

[dosubot[bot]]

Hi @dotdot1z23! I'm Dosu and I’m helping the superset team.

Mixing guest token embedding and Keycloak SSO sessions in the same browser session is known to cause session conflicts in Superset. When you switch between an embedded dashboard (guest token) and the full Superset UI (OAuth SSO), the session state can be lost, resulting in a redirect to the login page. This happens because Superset treats these authentication flows as independent: guest token authentication is stateless and does not maintain or restore the OAuth session cookie, while OAuth SSO relies on persistent session cookies. There is no backend logic that explicitly clears or overwrites session cookies during guest token usage, but browser policies, SameSite cookie settings, and iframe isolation can lead to session inconsistencies source.

Many users have reported that embedding dashboards with guest tokens while logged in with a higher-privilege session in the same browser can cause session conflicts, sometimes requiring logging out or using a different browser/incognito mode to isolate sessions source. There is currently no official solution to seamlessly combine both flows without breaking the SSO session. The recommended approach is to choose one authentication flow per browser context: use guest tokens for embedding dashboards, or use OAuth SSO for the full UI, but avoid mixing both in the same session source.

Workarounds include: using separate browsers or incognito windows for each flow, configuring cookie isolation via domain/subdomain separation, or advanced reverse proxy setups. If you must support both flows, consider isolating them at the browser or network level to prevent session conflicts. For embedding dashboards with OAuth enabled, use the Embedded SDK with guest tokens, and ensure proper CORS, allowed_domains, and SameSite=None cookie settings source.

Let me know if you need more details on any workaround or configuration!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[dosubot[bot]]

There isn’t a built-in way in Superset or Flask to isolate session cookies by path or to support multiple parallel session cookies for different authentication flows under the same domain. Superset’s session cookie settings (like SESSION_COOKIE_SAMESITE, SESSION_COOKIE_SECURE) apply globally, and only one session context is enabled per domain. The guest token flow is stateless and doesn’t use browser session cookies, but switching between guest token embedding and SSO (Keycloak) in the same browser session can still cause session conflicts, as reported by multiple users. This is due to browser cookie policies and the way Flask handles sessions, not explicit logic in Superset itself (source, source).

Reverse proxy rules or path-based isolation (e.g., /superset/embed/* vs /superset/ui/*) won’t help, since Flask/Superset does not support setting different session cookies by path. True isolation would require running separate Superset instances or using different subdomains, which allows browsers to keep cookies separate (source).

If you must keep everything under one domain, the only partial mitigations are: use incognito windows or separate browsers for each flow, or coordinate session state carefully (e.g., clear cookies between flows). For most setups, the recommended approach is to use guest tokens for embedding and SSO for the full UI, but not both in the same browser session (source, source).

Let me know if you want more details on advanced workarounds or custom setups.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[dotdot1z23]

Hi @dosu, thanks again for the explanation 🙏

Since mixing guest tokens and SSO sessions under the same domain is not really possible, I’d like to ask:

👉 Is there any alternative way to embed dashboards (besides using the guest token flow) when Superset is configured with OAuth/Keycloak SSO?

For example:

• Can dashboards be embedded directly while keeping the SSO session active?
• Or is the guest token flow via the Embedded SDK the only officially supported way to embed dashboards securely?

I’d appreciate any guidance or confirmation about the recommended embedding approaches when using SSO. Thanks! 🙏

[dosubot[bot]]

The only officially supported and secure way to embed Superset dashboards when using OAuth/Keycloak SSO is via the guest token flow (using the Embedded SDK). There is no alternative documented or supported method for embedding dashboards that bypasses the guest token mechanism when SSO is enabled. Direct embedding with SSO session cookies is not recommended or supported, as it can lead to session conflicts and unpredictable behavior, especially in iframe contexts. All configuration and troubleshooting discussions focus on the guest token approach for embedding with SSO enabled (source).

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[Tuy1111]

why embedded Id also with iframe , it will be delete session to reload embedded id
@dosu

[Tuy1111]

@dosu why embedded id , it load when i click on it

[Tuy1111]

I am also facing a similar issue, can someone help me?

[tinzisreal]

help me too?