GitHub user sumanth567 edited a discussion: Issue while enabling okta on Airflow 2.10.4
Hi Airflow community, I was trying to enable okta for the first time in our airflow application but facing challenges. Can someone please help us validate our configs and let us know if we are missing something on our end? ``` Airflow version: 2.10.4 running on python3.9 oauthlib 2.1.0 authlib-1.4.1 flask-oauthlib-0.9.6 flask-oidc-2.2.2 requests-oauthlib-1.1.0 Okta-2.9.0 ``` Below is our Airflow webserver.cfg file ``` #Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. """Default configuration for the Airflow webserver""" import os from airflow.www.fab_security.manager import AUTH_OAUTH #from flask_appbuilder.security.manager import AUTH_OAUTH basedir = os.path.abspath(os.path.dirname(__file__)) # Flask-WTF flag for CSRF WTF_CSRF_ENABLED = True # ---------------------------------------------------- # AUTHENTICATION CONFIG # ---------------------------------------------------- # For details on how to set up each of the following authentication, see # http://flask-appbuilder.readthedocs.io/en/latest/security.html# authentication-methods # for details. # The authentication type AUTH_TYPE = AUTH_OAUTH # Uncomment to setup Full admin role name AUTH_ROLE_ADMIN = 'Admin' # When using OAuth Auth, uncomment to setup provider(s) info # Google OAuth example: OAUTH_PROVIDERS = [{ 'name':'okta', 'token_key':'access_token', 'icon':'fa-circle-o', 'remote_app': { 'client_id': 'xxxxxxxxxxxxx', 'client_secret': 'xxxxxxxxxxxxxxxxxxx', 'api_base_url': 'https://xxxxxxx.com/oauth2/v1/', 'client_kwargs':{'scope': 'openid profile email groups'}, # 'redirect_uri': 'https://xxxxxxx.com/oauth-authorized/okta', 'access_token_url': 'https://xxxxxxx.com/oauth2/v1/token', 'authorize_url': 'https://xxxxxxx.com/oauth2/v1/authorize', 'jwks_uri': 'https://xxxxxxx.com/oauth2/v1/keys' # 'server_metadata_url': 'https://xxxxxxx.com/.well-known/openid-configuration' } }] # Will allow user self registrationf AUTH_USER_REGISTRATION = True # The default user self registration role AUTH_USER_REGISTRATION_ROLE = "Admin" AUTH_ROLES_MAPPING = { "Admin": ["Admin"] } # if we should replace ALL the user's roles each login, or only on registration AUTH_ROLES_SYNC_AT_LOGIN = True # force users to re-auth after 12hr of inactivity (to keep roles in sync) PERMANENT_SESSION_LIFETIME = 43200 ``` Error I am getting in the webserver logs is as below (Internal Server Error): ``` [2025-01-29 19:55:59 +0000] [21] [CRITICAL] WORKER TIMEOUT (pid:92) [2025-01-29 19:55:59 +0000] [92] [ERROR] Error handling request /oauth-authorized/okta?code=xxxxxxxxxxxxxx&state=xxxxxxxxxxx Traceback (most recent call last): File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/sync.py", line 134, in handle self.handle_request(listener, req, client, addr) File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/sync.py", line 177, in handle_request respiter = self.wsgi(environ, resp.start_response) File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 2552, in __call__ return self.wsgi_app(environ, start_response) File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 2529, in wsgi_app response = self.full_dispatch_request() File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) File "/opt/app-root/lib64/python3.9/site-packages/flask_appbuilder/security/views.py", line 679, in oauth_authorized resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token() File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/flask_client/apps.py", line 101, in authorize_access_token token = self.fetch_access_token(**params, **kwargs) File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/base_client/sync_app.py", line 347, in fetch_access_token token = client.fetch_token(token_endpoint, **params) File "/opt/app-root/lib64/python3.9/site-packages/authlib/oauth2/client.py", line 217, in fetch_token return self._fetch_token( File "/opt/app-root/lib64/python3.9/site-packages/authlib/oauth2/client.py", line 366, in _fetch_token resp = self.session.post( File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 637, in post return self.request("POST", url, data=data, json=json, **kwargs) File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/requests_client/oauth2_session.py", line 112, in request return super().request( File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/opt/app-root/lib64/python3.9/site-packages/requests/adapters.py", line 667, in send resp = conn.urlopen( File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 715, in urlopen httplib_response = self._make_request( File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 404, in _make_request self._validate_conn(conn) File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 1060, in _validate_conn conn.connect() File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connection.py", line 419, in connect self.sock = ssl_wrap_socket( File "/opt/app-root/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl( File "/opt/app-root/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket return self.sslsocket_class._create( File "/usr/lib64/python3.9/ssl.py", line 1074, in _create self.do_handshake() File "/usr/lib64/python3.9/ssl.py", line 1343, in do_handshake self._sslobj.do_handshake() File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/base.py", line 204, in handle_abort sys.exit(1) SystemExit: 1 ``` GitHub link: https://github.com/apache/airflow/discussions/46260 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
