[PR] Fix Keycloak double-slash URL bug (#61121) [airflow]

Sat, 31 Jan 2026 23:20:49 -0800 


y-sudharshan opened a new pull request, #61305:
URL: https://github.com/apache/airflow/pull/61305

   Fixes #61121 - Fix KeycloakAuthManager double-slash URL construction when 
server_url has trailing slash
   
   ## Description
   
   - Normalize server_url in _get_token_url to prevent double-slashes
   - Add .rstrip('/') to handle trailing slashes in server_url configuration
   - Add comprehensive tests for URL normalization scenarios
   - Resolves compatibility issue with Keycloak 26.4+ strict path validation
   
   When server_url has a trailing slash (e.g., 'https://host/auth/'), the 
previous implementation would create invalid URLs with double-slashes (e.g., 
'https://host/auth//realms/...'), which Keycloak 26.4+ rejects with HTTP 400 
'missingNormalization' error.
   
   This fix allows users to configure server_url with or without trailing 
slashes while ensuring properly normalized URLs are always generated.
   
   ## Changes
   
   - **keycloak_auth_manager.py**: Added URL normalization with `.rstrip('/')` 
in `_get_token_url()` method
   - **test_keycloak_auth_manager.py**: Added 4 new test methods covering URL 
normalization scenarios:
     - `test_get_token_url_without_trailing_slash` - Baseline behavior
     - `test_get_token_url_with_trailing_slash` - Main bug scenario
     - `test_get_token_url_with_multiple_trailing_slashes` - Edge case handling
     - `test_get_token_url_with_root_path` - Root URL scenario
   
   ## Testing
   
   - ✅ All ruff linting checks passed
   - ✅ Code properly formatted per project standards
   - ✅ All new tests pass
   - ✅ Backward compatible with existing configurations
   
   ## Impact
   
   - **Backward Compatible**: Yes - works with or without trailing slash in 
configuration
   - **Breaking Changes**: None
   - **Affected Components**: Keycloak auth manager token URL generation
   
   Fixes #61121
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes (please specify the tool below)
   
   Generated-by: GitHub Copilot
   ---
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to