exolightor commented on PR #61773: URL: https://github.com/apache/airflow/pull/61773#issuecomment-3892124430
Hello @vincbeck, thanks for looking at the change. With my changes, the access token is not saved in the cookie even after the refresh token flow. After refresh token flow in `KeycloakAuthManager.refresh_user()` the access token is only stored as a attribute in the `KeycloakAuthManagerUser` class. After login is successful, the `KeycloakAuthManager.is_authorized()` method does not look into the cookie but only at the deserialized attribute `KeycloakAuthManagerUser.access_token`. So the access token is not stored at any time in the cookie. Splitting access token and refresh token across two cookies does not solve the problem in the long run, as the access token alone can easily exceed 4KB. With 15+ realm roles it already should be big enough. Other open source applications (e.g. superset) solve this by storing the access token server-side instead of in the cookie. This is why I changed the code to only store the access token server side, .i.e., only in the `KeycloakAuthManagerUser` class and storing only the refresh token in the cookie. Refresh token stays small since roles are not stored in it. I have tested it locally and deployed with helm on OpenShift and issue #61771 is only resolved with my change. Otherwise the login does not work. In our Keycloak realm access tokens can include 15+ realm roles. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
