Re: [D] How to assign Admin/User roles based on email with Google OAuth2? [airflow]

[via GitHub]

GitHub user bun-paul-kwon added a comment to the discussion: How to assign 
Admin/User roles based on email with Google OAuth2?

I managed to resolve this issue. The key was to implement a 
`CustomOidcSecurityManager` to override the `oauth_user_info` method.
```yaml
# values.yaml
apiServer:
    apiServerConfig: |
        from flask_appbuilder.security.manager import AUTH_OAUTH
        from airflow.providers.fab.auth_manager.security_manager.override 
import FabAirflowSecurityManagerOverride
        import logging

        log = logging.getLogger(__name__)

        ADMIN_EMAIL_LIST = {
            'adm...@mycompany.com',
            'adm...@mycompany.com'
        }

        class CustomOidcSecurityManager(FabAirflowSecurityManagerOverride):
            def oauth_user_info(self, provider, response):
                
                if provider != 'google':
                    return {}

                userinfo = response.get('userinfo')
                email = userinfo.get('email')
                hd = userinfo.get('hd')

                if hd is None or hd != "mycompany.com":
                    return {}
                
                if email is None:
                    return {}

                if email in ADMIN_EMAIL_LIST:
                    userinfo['role_keys'] = ['Admin']
                else:
                    userinfo['role_keys'] = ['User']

                return userinfo

        AUTH_TYPE = AUTH_OAUTH
        CSRF_ENABLED = True
        AUTH_USER_REGISTRATION = True
        # AUTH_USER_REGISTRATION_ROLE = "Viewer"
        AUTH_ROLES_SYNC_AT_LOGIN = True
        PERMANENT_SESSION_LIFETIME = 86400
        AUTH_ROLES_MAPPING = {
          "Admin": ["Admin"],
          "User": ["User"],
        }
        SECURITY_MANAGER_CLASS = CustomOidcSecurityManager
        OAUTH_PROVIDERS = [
            {
                'name': 'google',
                'token_key': 'access_token',
                'icon': 'fa-google',
                'remote_app': {
                    'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
                    'client_kwargs': {'scope': 'openid profile email'},
                    'access_token_url': 
'https://accounts.google.com/o/oauth2/token',
                    'authorize_url': 
'https://accounts.google.com/o/oauth2/auth',
                    'request_token_url': None,
                    'client_id': '<CLIENT_ID>',
                    'client_secret': '<CLIENT_SECRET>',
                    'userinfo_endpoint': 
'https://openidconnect.googleapis.com/v1/userinfo',
                    'jwks_uri': 'https://www.googleapis.com/oauth2/v3/certs',
                    'authorize_params': {'hd': 'mycompany.com'}
                }
            }
        ]
```

GitHub link: 
https://github.com/apache/airflow/discussions/57527#discussioncomment-14878492

----
This is an automatically sent email for commits@airflow.apache.org.
To unsubscribe, please send an email to: commits-unsubscr...@airflow.apache.org