chandakanant opened a new issue, #31461:
URL: https://github.com/apache/airflow/issues/31461
### Apache Airflow version
Other Airflow 2 version (please specify below)
### What happened
Hello everyone, I am trying to set up SSO using AWS cognito in the airflow
Helm chart. I’ve made edits to the webserverConfig section, and I am getting a
redirect mismatch error. It is taking HTTP instead of HTTPS. Also, it is
working in the Localhost.
```
webserverConfig: |
import sys
from tokenize import group
from airflow import configuration as conf
from airflow.www.security import AirflowSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH
import logging
import os
import json
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(message)s")
logger = logging.getLogger()
class CognitoSecurity(AirflowSecurityManager):
def oauth_user_info(self, provider, response=None):
if provider == "aws_cognito" and response:
logger.info(response)
res =
self.appbuilder.sm.oauth_remotes[provider].get('oauth2/userInfo')
if res.raw.status != 200:
logger.error('Failed to obtain user info: %s', res.data)
return
me = json.loads(res._content)
logger.info(" user_data: %s", me)
return {"username": me.get("username"), "email":
me.get("email")}
else:
return {}
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
COGNITO_URL = "https://xxxxxxxx.amazoncognito.com/";
CONSUMER_KEY = "xxxxxxxxxxxxxxxxx"
SECRET_KEY = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
REDIRECT_URI = "https://example.com/login/";
JWKS_URI =
"https://xxxxxxxxx.amazonaws.com/eu-west-1_lcPvXYowr/.well-known/jwks.json";
OAUTH_PROVIDERS = [{
'name':'aws_cognito',
#'whitelist': ['@test.com'], # optional
'token_key':'access_token',
'url': COGNITO_URL,
'icon': 'fa-amazon',
'remote_app': {
'client_id': CONSUMER_KEY,
'client_secret': SECRET_KEY,
'base_url': os.path.join(COGNITO_URL, 'oauth2/idpresponse'),
"api_base_url": COGNITO_URL,
'redirect_uri' : REDIRECT_URI,
'jwks_uri': JWKS_URI,
'client_kwargs': {
'scope': 'openid'
},
'access_token_url': os.path.join(COGNITO_URL, 'oauth2/token'),
'authorize_url': os.path.join(COGNITO_URL, 'oauth2/authorize')
}
}]
SECURITY_MANAGER_CLASS = CognitoSecurity
```
I have also tried adding headers in the reverse proxy (nginx), but that also
did not solve the problem.
```
ingress:
web:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header X-Forwarded-Protocol ssl;
add_header X-Forwarded-Proto https;
add_header X-Forwarded-Port 443;
```
### What you think should happen instead
_No response_
### How to reproduce
Should redirect to the `aws cognito` sign-in page and also redirect_uri
should take HTTP instead of HTTPS.
### Operating System
Linux
### Versions of Apache Airflow Providers
apache/airflow:2.5.2-python3.10
### Deployment
Official Apache Airflow Helm Chart
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
