mogilevskiikonstantin-commits opened a new issue, #67027: URL: https://github.com/apache/airflow/issues/67027
### Under which category would you file this issue? Providers ### Apache Airflow version 3.3.0 ### What happened and how to reproduce it? ### Description While testing the new Airflow 3.0 dev-snapshot (Breeze environment) with `KeycloakAuthManager` enabled, the FastAPI backend throws persistent `403 Forbidden` errors on legacy API data endpoints (such as `/api/v1/dags`, `/api/v1/plugins`, `/api/v1/importErrors`). Crucially, the new web UI configuration endpoints (`/ui/config` and `/ui/me`) return `200 OK` and successfully decode the user profile. However, the data endpoints fail to evaluate the global `SuperAdmin` permissions, locking the UI dashboard behind a red 403 error alert. ### To Reproduce I followed the official setup instructions provided in the provider docs, adjusted for the Airflow 3.0 architecture. 1. Spin up Airflow and Keycloak by running this command from the root of the cloned airflow repo: ```bash breeze start-airflow --backend postgres --integration keycloak --load-example-dags --load-default-connections ``` 2. Under files/airflow-breeze-config/init.sh specify the following configuration (including correct claim path mappings for Keycloak's standard token structure): ```bash export AIRFLOW__API__BASE_URL='http://localhost:28080' export AIRFLOW__CORE__AUTH_MANAGER='airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager' export AIRFLOW__KEYCLOAK_AUTH_MANAGER__CLIENT_ID='airflow' export AIRFLOW__KEYCLOAK_AUTH_MANAGER__CLIENT_SECRET='keycloak-secret-for-client-id' export AIRFLOW__KEYCLOAK_AUTH_MANAGER__REALM='airflow' # Explicitly map the token structure and role names export AIRFLOW__KEYCLOAK_AUTH_MANAGER__IS_ADMIN_ROLE_NAME='SuperAdmin' export AIRFLOW__KEYCLOAK_AUTH_MANAGER__SUPERADMIN_ROLE_NAME='SuperAdmin' export AIRFLOW__KEYCLOAK_AUTH_MANAGER__ROLES_CLAIM_NAME='resource_access.airflow.roles' export AIRFLOW__CORE__MULTI_TEAM='false' ``` 3. Access Keycloak via http://localhost:48080 and configure the client: - Create the airflow realm. - Create an airflow client with Root URL http://localhost:28080/, Home URL /, Valid Redirect URL http://localhost:28080/*, Web Origins and Admin URL as http://localhost:28080/. - Under the Roles section of the airflow client, create two roles: Admin and SuperAdmin. - Create a user in the airflow realm called superadmin and assign the client roles specified above. - Ensure Client Scope mappers for User Client Role are configured to pass client roles into both Access and ID tokens. 4. Using the shell in the breeze TUI, run the CLI command to provision resources, scopes, and permissions into Keycloak: ```bash airflow keycloak-auth-manager create-all --username admin --password admin ``` 5. Access Airflow via http://localhost:28080. It redirects to the Keycloak sign-in page. Inputting the superadmin credentials redirects back to Airflow, where the UI loads but throws multiple 403 errors on the network tab for data endpoints. Token Inspection Details Evaluating the Access Token returned from Keycloak shows that the claims match the Airflow config perfectly (roles are present under resource_access.airflow.roles): ``` { "exp": 1778914911, "iat": 1778914611, "jti": "74544747-ee9b-4c3f-839b-504f815e58a6", "iss": "http://localhost:48080/realms/airflow";, "aud": "account", "sub": "ea4fe63d-6546-4b3e-9f8b-5ca9aac8dbba", "typ": "Bearer", "azp": "airflow", "session_state": "ed73b208-07aa-45de-81af-238fc4a850bd", "acr": "1", "allowed-origins": [ "http://localhost:28080/"; ], "realm_access": { "roles": [ "default-roles-airflow", "offline_access", "uma_authorization" ] }, "resource_access": { "airflow": { "roles": [ "Admin", "SuperAdmin" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid profile email", "sid": "ed73b208-07aa-45de-81af-238fc4a850bd", "email_verified": true, "preferred_username": "superadmin" } ``` ID token structure ``` { "exp": 1778914911, "iat": 1778914611, "auth_time": 0, "jti": "a5d505ab-130b-4f68-9dce-875186138587", "iss": "http://localhost:48080/realms/airflow";, "aud": "airflow", "sub": "ea4fe63d-6546-4b3e-9f8b-5ca9aac8dbba", "typ": "ID", "azp": "airflow", "session_state": "fecdf990-abd2-4f9c-841a-489c0fd9f8dd", "acr": "1", "sid": "fecdf990-abd2-4f9c-841a-489c0fd9f8dd", "email_verified": true, "preferred_username": "superadmin" } ``` ### What you think should happen instead? The KeycloakAuthManager should recognize the SuperAdmin role from the token claim path and evaluate the is_authorized_dag hooks as True for legacy API data wrappers, matching the successful 200 responses of the /ui/config endpoints. ### Operating System macOS ### Deployment Other ### Apache Airflow Provider(s) keycloak ### Versions of Apache Airflow Providers apache-airflow-providers-keycloak 0.7.1 apache-airflow 3.3.0 ### Official Helm Chart version Not Applicable ### Kubernetes Version _No response_ ### Helm Chart configuration _No response_ ### Docker Image customizations _No response_ ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
