[I] Fab Auth Azure SSO Integration Issue [airflow]

Fri, 06 Feb 2026 19:52:27 -0800 


chsanjeev opened a new issue, #61567:
URL: https://github.com/apache/airflow/issues/61567

   ### Apache Airflow Provider(s)
   
   fab
   
   ### Versions of Apache Airflow Providers
   
   Apache-airflow-providers-fab == 3.2.0
   
   ### Apache Airflow version
   
   Airflow 3.1.7
   
   ### Operating System
   
   Linux
   
   ### Deployment
   
   Virtualenv installation
   
   ### Deployment details
   
   _No response_
   
   ### What happened
   
   Azure SSO configurations are setup differently based on the auth model. In 
the current fab provider specifically if the ID provider is Azure, it is 
looking for “roles” key from the access_token. However, this is not true in all 
cases especially if the auth model is managed through AD groups in which case 
roles will be empty but groups will be returned with all the groups user is 
part of. 
   
   **_Current Setup:_**
   **File Name:** airflow.providers.fab.auth_manager.security_manager.override
   
   
   Issue Code Block:
   
   Under function get_oauth_user_info
   
   If provider=“azure” return value has “role_keys”: me.get(“roles”,[]) 
   
   
   
   
   ### What you think should happen instead
   
   Send “key name” as an input so that when the ID provider is azure, based on 
the Org setup it will enable users to pick either roles or groups to retrieve 
the access model.
   
   
   Following is just a suggestion to address the issue. There might be a better 
way.
   
   
   **_Recommended Setup:_**
   **File Name:** airflow.providers.fab.auth_manager.security_manager.override 
   
   Make get_oauth_user_info(self, provider: str, resp: dict[str, Any], 
role_lookup_key = None)
   
   Now 
   If provider=“azure” 
   .. auth_role_key = “role” if role_lookup_key is None else  role_lookup_key
   .. return {……… , “role_keys”: me.get(auth_role_key, [])}
   
   Now it becomes configurable then always looking for values in the “roles” 
from access token.
   
   
   
   Now in the webserver_config.py
   We can setup custom security manager using the 
super().get_oauth_user_info(provider, response,  role_lookup_key)
   
   
   
   
   
   
   ### How to reproduce
   
   Enable Azure Entra SSO with AD Group support rather than role setup.
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to