vincbeck commented on PR #56633: URL: https://github.com/apache/airflow/pull/56633#issuecomment-3433528986
> Invalid parameter: redirect_uri > > I’ve been working with Airflow and Keycloak, and ran into the same issue: Airflow sends an incorrect redirect_uri using http instead of https, which is insecure. I want it to use https. https://github.com/apache/airflow/blob/main/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py > > I’ve tried setting base_url in the config, but it has no effect — the redirect still uses http during the login flow. My Airflow web UI is behind NGINX, which is properly configured to forward all necessary headers and redirect to https. > > From what I understand, this seems to be a widespread issue, and I’d like to know when it will be fixed. Interesting. I think the issue comes from the fact the api server is behind a proxy. When Airflow does `request.url_for("login_callback")`, it assumes it uses `http` instead of `https`. https://github.com/Kludex/uvicorn/blob/main/uvicorn/middleware/proxy_headers.py looks the perfect candidate to fix that. Is that okay to add that middleware @pierrejeambrun or we are trying to limit the number of middlewares as much as we can? > Also, in the newer Airflow versions, I can no longer use the old OIDC config with Flask AppBuilder to temporarily bypass the issue — it's no longer compatible. OIDC authentication has been removed from `Flask-appbuilder 5`, so yes, this option is longer possible in Fab auth manager because it now uses `Flask-appbuilder 5`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
