vincbeck commented on code in PR #54196:
URL: https://github.com/apache/airflow/pull/54196#discussion_r2611858757
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -170,8 +170,76 @@ cookie named ``_token`` before redirecting to the Airflow
UI. The Airflow UI wil
return response
.. note::
- Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs
to access the JWT token from the cookie.
+ Ensure that the cookie parameter ``httponly`` is set to ``True``. UI no
longer manages the token.
+Refreshing JWT Token
+''''''''''''''''''''
+Refreshing token is optional feature and its availability depends on the
specific implementation of the auth manager.
+The auth manager is responsible for refreshing the JWT token when it expires.
+The Airflow API uses middleware that intercepts every request and checks the
validity of the JWT token.
+Token communication is handled through ``httponly`` cookies to improve
security.
+When the token expires, the middleware calls the auth manager's
``refresh_token`` method to obtain a new token.
+
+To support token refresh operations, the auth manager must implement the
``refresh_token`` method.
+This method receives an expired token and must return a new valid token.
+User information is extracted from the expired token and used to generate a
fresh token.
+
+An example implementation of ``refresh_user`` could be:
+
+.. code-block:: python
+
+ def refresh_user(self, *, user: KeycloakAuthManagerUser) ->
KeycloakAuthManagerUser | None:
+ if self._token_expired(user.access_token):
+ log.debug("Refreshing the token")
+ client = self.get_keycloak_client()
+ tokens = client.refresh_token(user.refresh_token)
+ user.refresh_token = tokens["refresh_token"]
+ user.access_token = tokens["access_token"]
+ return user
+
+ return None
+
+User information is derived from the ``BaseUser`` instance. It is important
that the user object contains all the fields required to refresh the token. An
example user class that includes all necessary fields is shown below:
+
+.. code-block:: python
+
+ class KeycloakAuthManagerUser(BaseUser):
Review Comment:
Same here
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -170,8 +170,76 @@ cookie named ``_token`` before redirecting to the Airflow
UI. The Airflow UI wil
return response
.. note::
- Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs
to access the JWT token from the cookie.
+ Ensure that the cookie parameter ``httponly`` is set to ``True``. UI no
longer manages the token.
+Refreshing JWT Token
+''''''''''''''''''''
+Refreshing token is optional feature and its availability depends on the
specific implementation of the auth manager.
+The auth manager is responsible for refreshing the JWT token when it expires.
+The Airflow API uses middleware that intercepts every request and checks the
validity of the JWT token.
+Token communication is handled through ``httponly`` cookies to improve
security.
+When the token expires, the middleware calls the auth manager's
``refresh_token`` method to obtain a new token.
+
+To support token refresh operations, the auth manager must implement the
``refresh_token`` method.
+This method receives an expired token and must return a new valid token.
+User information is extracted from the expired token and used to generate a
fresh token.
+
+An example implementation of ``refresh_user`` could be:
Review Comment:
To avoid having out of date code, maybe link to the keycloak auth manager
implementation of `refresh_user`?
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -170,8 +170,76 @@ cookie named ``_token`` before redirecting to the Airflow
UI. The Airflow UI wil
return response
.. note::
- Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs
to access the JWT token from the cookie.
+ Ensure that the cookie parameter ``httponly`` is set to ``True``. UI no
longer manages the token.
Review Comment:
I am not sure we should have "no longer" in the doc. We always try to avoid
comparing version in docs, just mention how the state is
##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -170,8 +170,76 @@ cookie named ``_token`` before redirecting to the Airflow
UI. The Airflow UI wil
return response
.. note::
- Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs
to access the JWT token from the cookie.
+ Ensure that the cookie parameter ``httponly`` is set to ``True``. UI no
longer manages the token.
+Refreshing JWT Token
+''''''''''''''''''''
+Refreshing token is optional feature and its availability depends on the
specific implementation of the auth manager.
+The auth manager is responsible for refreshing the JWT token when it expires.
+The Airflow API uses middleware that intercepts every request and checks the
validity of the JWT token.
+Token communication is handled through ``httponly`` cookies to improve
security.
+When the token expires, the middleware calls the auth manager's
``refresh_token`` method to obtain a new token.
+
+To support token refresh operations, the auth manager must implement the
``refresh_token`` method.
+This method receives an expired token and must return a new valid token.
+User information is extracted from the expired token and used to generate a
fresh token.
+
+An example implementation of ``refresh_user`` could be:
+
+.. code-block:: python
+
+ def refresh_user(self, *, user: KeycloakAuthManagerUser) ->
KeycloakAuthManagerUser | None:
+ if self._token_expired(user.access_token):
+ log.debug("Refreshing the token")
+ client = self.get_keycloak_client()
+ tokens = client.refresh_token(user.refresh_token)
+ user.refresh_token = tokens["refresh_token"]
+ user.access_token = tokens["access_token"]
+ return user
+
+ return None
+
+User information is derived from the ``BaseUser`` instance. It is important
that the user object contains all the fields required to refresh the token. An
example user class that includes all necessary fields is shown below:
+
+.. code-block:: python
+
+ class KeycloakAuthManagerUser(BaseUser):
+ """User model for users managed by the Keycloak auth manager."""
+
+ def __init__(self, *, user_id: str, name: str, access_token: str,
refresh_token: str) -> None:
+ self.user_id = user_id
+ self.name = name
+ self.access_token = access_token
+ self.refresh_token = refresh_token
+
+ def get_id(self) -> str:
+ return self.user_id
+
+ def get_name(self) -> str:
+ return self.name
+
+The refresh token endpoint must implement the refresh logic required by the
auth manager. An example ``refresh_token`` implementation is shown below:
+
+.. code-block:: python
+
+ def refresh_token(self, expired_token: str) -> str:
Review Comment:
Same here. If you really want to have snippet code in the doc, maybe we can
use tags, the same way we do it in system tests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
