ecodina opened a new issue, #59286: URL: https://github.com/apache/airflow/issues/59286
### Description It may be useful to add a Keycloak auth manager endpoint where you could obtain a token using the client_credentials flow. The endpoint could be `POST /token/client_credentials`, where the user would specify the `client_id` and `client_secret`. The client should be available in the `server_url` configured in `airflow.cfg`. The service account for the client used would have to be configured appropriately so the authorization server can perform the authorization. I can prepare a PR adding this functionality, but before I do anything, I'd appreciate @bugraoz93 and @vincbeck feedback! ### Use case/motivation Airflow's API is very powerful. Right now it is designed to be used by an end user, but in some cases there is not an actual person running the requests. Instead, it is done by an automated service. That's something I've seen we need in our organization when deploying Airflow 3. For example: - A monitoring service that queries runs - A service that needs triggering Dags on-demand (maybe the backend of a web app has to run a Dag when a user inputs something) - A Github Action that uploads a new Dag and then wants to unpause it and run it once - ... OAuth2 has the client_credentials flow designed for exactly these use cases. We could create a "fake user" and use the current endpoints, but it may make more sense to use this flow. ### Related issues _No response_ ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
