GitHub user jlandercy created a discussion: How can I fix this broken OIDC flow ?
I would like to deploy Airflow in my company in order to rationalize and manage processes and dataflows. I have the requirement to use OIDC for all application we deploy. As a baseline, GitLab OIDC flow is sufficient for my needs. I know that if I am able to complete this flow, I will be able to use the OIDC of my company. So this is what it is about, connect Airflow with an OIDC flow using GitLab as a authentification provider. I have read the following documentation: - https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/webserver-authentication.html And I have adapted it for GitLab context. Mainly the `webserver_config.py` looks like: ```python from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride from flask_appbuilder.security.manager import AUTH_OAUTH import os AUTH_TYPE = AUTH_OAUTH AUTH_USER_REGISTRATION = False AUTH_ROLES_SYNC_AT_LOGIN = False AUTH_USER_REGISTRATION_ROLE = "Viewer" OAUTH_PROVIDERS = [ { "name": "GitLab", "icon": "fa-key", "token_key": "access_token", "remote_app": { "client_id": os.getenv("OIDC_CLIENT_ID"), "client_secret": os.getenv("OIDC_CLIENT_SECRET"), "server_metadata_url": "https://gitlab.com/.well-known/openid-configuration";, "api_base_url": "https://gitlab.com";, "client_kwargs": {"scope": "email profile"}, "access_token_url": "https://gitlab.com/oauth/token";, "authorize_url": "https://gitlab.com/oauth/authorize";, } } ] class CustomSecurityManager(FabAirflowSecurityManagerOverride): pass SECURITY_MANAGER_CLASS = CustomSecurityManager ``` When I put it at the root of my `airflow` folder the login page is modified and it initiate the flow through GitLab but **it does not send the client id**. I receive this error: `Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.`. Checking the reason, it simply seems that the `client_id` is not sent during the call (it is actually set to `None`) to GitLab: ``` https://gitlab.com/oauth/authorize?response_type=code&client_id=None&redirect_uri=... ``` Replaying the request by providing the `client_id` almost complete the flow. I am redirected to airflow, but then airflow complains: `The request to sign in was denied.` and I have no valuable logs to show in my containers. I am redirected to: ``` http://localhost:8080/auth/oauth-authorized/GitLab ``` So here is my questions: - Is my configuration correct or should I adapt it to make it work ? - Is it a software problem (bug or feature) and how can I help to make it work and provide GitLab provider as well to the community ? Thank you in advance for your constructive answers. Cheers, Jean GitHub link: https://github.com/apache/airflow/discussions/56260 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
