[
https://issues.apache.org/jira/browse/AIRFLOW-2321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16747315#comment-16747315
]
Andrew Stahlman edited comment on AIRFLOW-2321 at 1/20/19 1:55 AM:
-------------------------------------------------------------------
[~joygao] thanks for posting that workaround - it saved me after an hour of
banging my head against the wall. Do you know of a good place to document this?
Maybe
[here|https://github.com/apache/airflow/blob/master/UPDATING.md#creating-an-admin-account]?
Here's the behavior I was seeing, in case anyone else runs into the same issue:
* {{ab_user}} table has a single admin user which was created via {{airflow
users --create}}
* {{AUTH_TYPE = AUTH_OAUTH}} in {{webserver_config.py}} using Google as the
provider
* Visit /home, which redirects to /login
* Sign-in with google, which produces the following redirect loop:
** /login/google
**
[https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=]<CLIENT-ID>&redirect_uri=<LOCAL-ENDPOINT>%2Foauth-authorized%2Fgoogle&scope=email+profile
**
/oauth-authorized/google?code=<TOKEN>&scope=email+profile+[https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile]
** login
** login/
I *think* this is because my user-id that Google posted to
{{/oauth-authorized/google}} doesn't exist in the {{ab_users}} table, so I get
redirected right back to {{/login}}. Hence the workaround of allow users to
self-register, which puts that user-id in the {{ab_users}} table. Sound right?
was (Author: tronbabylove):
[~joygao] thanks for posting that workaround - it saved me after an hour of
banging my head against the wall. Do you know of a good place to document this?
Maybe
[here|https://github.com/apache/airflow/blob/master/UPDATING.md#creating-an-admin-account]?
Here's the behavior I was seeing, in case anyone else runs into the same issue:
* {{ab_user}} table has a single admin user which was created via {{airflow
users --create}}
* {{AUTH_TYPE = AUTH_OAUTH}} in {{webserver_config.py}} using Google as the
provider
* Visit /home, which redirects to /login
* Sign-in with google, which produces the following redirect loop:
** /login/google
**
[https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=]<CLIENT-ID>&redirect_uri=<LOCAL-ENDPOINT>%2Foauth-authorized%2Fgoogle&scope=email+profile
**
/oauth-authorized/google?code=<TOKEN>&scope=email+profile+[https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile]
** login
** login/
I *think* this is because my user-id that Google posted to
{{/oauth-authorized/google}} doesn't exist in the {{ab_users}} table. Hence the
workaround of allow users to self-register, which puts that user-id in the
{{ab_users}} table. Sound right?
> RBAC support from new UI's failing on OAuth authentication method
> -----------------------------------------------------------------
>
> Key: AIRFLOW-2321
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2321
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Reporter: Guillermo Rodríguez Cano
> Priority: Major
>
> I tried configuring the RBAC support for the new webserver UI as provided
> thanks to this [PR|https://github.com/apache/incubator-airflow/pull/3015]
> (solving AIRFLOW-1433 and AIRFLOW-85 issues) but I have encountered issues
> with OAuth as authentication method with Google as provider.
> I have no issues configuring the authentication details as pointed in the
> UPDATING document, but when I test a fresh installation I manage to get to
> the Google authentication webpage and on returning to Airflow's site I get
> the message: 'Invalid login. Please try again.' which I have traced it down
> to coming from
> [here|https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/views.py#L549].
> And as pointed it seems the user variable is None.
> I have tried to login using the standard DB authentication method without no
> problems. The same issue happens even when I tried registering a new user, or
> with that user registered via the DB authentication and then switching to
> OAUTH authentication method.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
