fediabdelhedi opened a new pull request, #56624:
URL: https://github.com/apache/airflow/pull/56624
## What
Implements automatic token refresh when Keycloak access token expires.
## Why
Fixes #56614 - Users receive 500 Internal Server Error after token lifetime
(5 minutes) expires. The Keycloak provider was not implementing OAuth2 refresh
token flow.
## How
1. **Added `_refresh_access_token()` method** that:
- Retrieves refresh token from the user object
- Calls Keycloak token endpoint with `grant_type=refresh_token`
- Updates user's access token and refresh token
- Includes comprehensive error handling and logging
2. **Modified `_is_authorized()` to**:
- Catch 401 Unauthorized responses (token expired)
- Attempt token refresh using `_refresh_access_token()`
- Retry the authorization check with the new token
- Provide clear error messages if refresh fails
3. **Modified `_is_batch_authorized()` to**:
- Apply the same token refresh logic for batch authorization checks
- Ensure consistency across authorization methods
## Testing
- [x] Code follows Airflow coding standards
- [x] Logic verified against OAuth2 refresh token specification
- [ ] Manual testing with Keycloak (requires dedicated test environment)
**Note:** I don't currently have a Keycloak test environment set up. The
implementation follows the OAuth2 standard refresh token flow and matches the
pattern used in similar auth providers. Happy to add tests or make adjustments
based on reviewer feedback!
## Impact
- Users will remain logged in after token expiration
- No more 500 errors after 5 minutes of inactivity
- Seamless user experience with automatic token renewal
Closes: #56614
---
**^ Add meaningful description above**
Read the **[Pull Request
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
for more information.
In case of fundamental code changes, an Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party
License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in a
newsfragment file, named `{pr_number}.significant.rst` or
`{issue_number}.significant.rst`, in
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
