Re: [I] Airflow not using custom API authentication/auth_backends [airflow]

Fri, 06 Jun 2025 10:02:10 -0700 


alpeshv commented on issue #51362:
URL: https://github.com/apache/airflow/issues/51362#issuecomment-2949889113

   @vincbeck thank you for picking this up. I am having the same issue so can 
provide some more insight. 
   
   We have been using custom auth implementation with keycloak for Airflow api 
v1 to make airflow api calls from other apps, mainly to trigger a specific dag. 
   
   It was working fine until we upgraded Airflow to 3.0.1 and now trying to the 
use same setup for Airflow api v2. My keycloak tokens use RS256, where as 
airflow, by default, recognises tokens with alg HS512, when jwt_secret is set 
as per [this](AIRFLOW__API_AUTH__JWT_ALGORITHM) and thats what causing this 
issue. 
   
   I have tried changing this alg to RS256 and removed jwt_secret but that was 
causing api-server pod to crash with error `The value api_auth/jwt_secret must 
be set` in api-server pod.
   
   My problem is that I am also using `FabAirflowSecurityManagerOverride` in my 
api-server config to enable keycloak oauth for Airflow UI which works fine but 
I am not able to make the same thing work for api auth.
   
   ```
     - name: AIRFLOW__API__AUTH_BACKENDS
       value: 
'airflow.providers.fab.auth_manager.api.auth.backend.custom_jwt_auth_backend'
     - name: AIRFLOW__FAB__AUTH_BACKENDS
       value: 
'airflow.providers.fab.auth_manager.api.auth.backend.custom_jwt_auth_backend'
     - name: AIRFLOW__CORE__AUTH_MANAGER
       value: 
'airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager'
   ```
   
   Its really confusing to me that how UI auth works with keycloak but api auth 
doesn't. I guess fab manager somehow exchanges keycloak token for a simpler jwt 
token which airflow can understand. Also not sure how these backends and auth 
manager work together for api authentication. I have gone through all the 
documentation available but could not find anything helpful.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to