jakubgs opened a new issue #14829:
URL: https://github.com/apache/airflow/issues/14829
**Apache Airflow version**:
`2.0.1` but with a hack to make GitHub role based oauth work by installing
`flask-appbuilder==3.2.0` to get better OAuth.
**Environment**:
- **Cloud provider or hardware configuration**:
- **OS**: Ubuntu 20.04.2
- **Kernel**: `5.4.0-66-generic x86_64`
- **Install tools**:
- **Others**:
**What happened**:
After removing via web UI a user created by my OAuth integration implemented
by inheriting from `AirflowSecurityManager` I was greeted by a redirect loop:
```
This page isn’t working
airflow.example.org redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS
```
Which can be seen in the logs:
```
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
"GET /login/?next=https%3A%2F%2Fairflow.example.org%2Fhome HTTP/1.0" 302 209
"-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/89.0.4389.72 Safari/537.36"
"GET / HTTP/1.0" 302 217 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
"GET /login/?next=https%3A%2F%2Fairflow.example.org%2Fhome HTTP/1.0" 302 209
"-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/89.0.4389.72 Safari/537.36"
"GET / HTTP/1.0" 302 217 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
"GET /home HTTP/1.0" 302 321 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
DEBUG - Provider: None
DEBUG - Already authenticated TestUser
...
```
As far as I can tell the issue is the `Provder: None` part, since when I try
to log in as another user which was not removed I can see the provider is
correctly detected:
```
DEBUG - Provider: github
DEBUG - Going to call authorize for: github
```
**What you expected to happen**:
Login to work as before.
**How to reproduce it**:
I have implemented OAuth GitHub mapping of user teams to Airflow roles like
so:
```python
AUTH_ROLES_MAPPING = {
"devs": ["Viewer"],
"analists": ["User"],
"devops": ["Admin"],
}
class GitHubAirflowSecurityManager(AirflowSecurityManager):
def oauth_user_info(self, provider, resp):
assert provider == 'github'
api = self.appbuilder.sm.oauth_remotes[provider]
user = api.get('user').json()
teams = api.get('user/teams').json()
# email field can't be empty
fake_email = "%[email protected]" % user.get("login")
data = {
"username": user.get("login"),
"email": user.get("email") or fake_email,
"first_name": user.get("name", ""),
"last_name": user.get("family_name", ""),
"role_keys": [t.get("slug") for t in teams],
}
return data
SECURITY_MANAGER_CLASS = GitHubAirflowSecurityManager
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
