[I] [Airflow 3.2.2] api-server: Azure OAuth button not shown at /auth/login/ [airflow]

Mon, 08 Jun 2026 00:30:34 -0700 


BevisDev opened a new issue, #68208:
URL: https://github.com/apache/airflow/issues/68208

   ### Under which category would you file this issue?
   
   Providers
   
   ### Apache Airflow version
   
   3.2.2
   
   ### What happened and how to reproduce it?
   
   ## **What happened**
   On Airflow 3.2.2 with FabAuthManager and Azure Entra ID OAuth, the login 
page shows only the database login form (Username / Password), not the OAuth 
page with a "Sign in with azure" button.
   In the api-server pod we confirmed:
   - apache-airflow-providers-fab is installed (v3.6.4)
   - /opt/airflow/webserver_config.py is mounted with AUTH_TYPE = AUTH_OAUTH 
and Azure OAUTH_PROVIDERS
   AZ_TENANT_ID, AZ_CLIENT_ID, AZ_CLIENT_SECRET env vars are set (non-empty)
   - Manual config load succeeds:
   ```python
   app.config.from_pyfile('/opt/airflow/webserver_config.py', silent=False)
   # AUTH_TYPE=4, OAUTH_PROVIDERS=1
   ```
   - The running airflow api-server UI still shows Username/Password only, 
suggesting OAuth config is not applied at process startup.
   
   ## **Environment**
   | Item | Value |
   |------|-------|
   | **Airflow version** | 3.2.2 |
   | **Helm chart version** | `1.22.0` |
   | **Executor** | `KubernetesExecutor` |
   | **Auth manager** | `FabAuthManager` (`apache-airflow-providers-fab` 3.6.4) 
|
   | **UI component** | `api-server` (webserver disabled) |
   | **Ingress class** | `nginx` |
   
   ## **Steps to reproduce**
   
   1. Deploy Airflow 3.2.x with FabAuthManager, api-server enabled, webserver 
disabled.
   2. Mount webserver_config.py with AUTH_TYPE = AUTH_OAUTH and Azure provider 
to /opt/airflow/webserver_config.py on api-server
   3. Set AZ_TENANT_ID, AZ_CLIENT_ID, AZ_CLIENT_SECRET on the api-server pod
   4. Set config.api.base_url and config.fab.enable_proxy_fix = True
   5. Open: https://domain.com/auth/login/?next=https://domain.com/
   
   **Actual**: Username/Password form only.
   **Expected**: "Sign in with azure" button.
   
   ### What you think should happen instead?
   
   - /auth/login/ should render the OAuth login page (login_oauth.html), not 
the database form (login_db.html), when webserver_config.py sets AUTH_TYPE = 
AUTH_OAUTH
   - The page should show "Sign in with azure", consistent with Airflow 2 + FAB 
+ Azure OAuth.
   - Clicking the button should redirect to Microsoft Entra ID, then callback 
to https://domain/auth/oauth-authorized/azure
   - After successful auth, the user should be logged into the Airflow 3 UI.
   - On api-server startup, webserver_config.py should be loaded successfully 
(not silently skipped), so the running process uses AUTH_TYPE = AUTH_OAUTH (4), 
matching manual from_pyfile() in the same pod.
   
   ### Operating System
   
   24.04.3 LTS
   
   ### Deployment
   
   Official Apache Airflow Helm Chart
   
   ### Apache Airflow Provider(s)
   
   fab
   
   ### Versions of Apache Airflow Providers
   
   apache-airflow-providers-fab==3.6.4
   
   ### Official Helm Chart version
   
   1.22.0 (latest released)
   
   ### Kubernetes Version
   
   1.30.14
   
   ### Helm Chart configuration
   
   ```yaml
   config:
     api:
       base_url: "https://domain.company.com";
     core:
       auth_manager: 
"airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager"
     fab:
       config_file: "/opt/airflow/webserver_config.py"
       enable_proxy_fix: "True"
   
   apiServer:
     enabled: true
     replicas: 1
   
     args: ["bash", "-c", "exec airflow api-server"]
   
     env:
       - name: AZ_TENANT_ID
         valueFrom:
           secretKeyRef:
             name: airflow-azure-oidc
             key: tenant-id
       - name: AZ_CLIENT_ID
         valueFrom:
           secretKeyRef:
             name: airflow-azure-oidc
             key: client-id
       - name: AZ_CLIENT_SECRET
         valueFrom:
           secretKeyRef:
             name: airflow-azure-oidc
             key: client-secret
       - name: AIRFLOW__FAB__ENABLE_PROXY_FIX
         value: "True"
       - name: AIRFLOW__APISERVER__PREFERRED_URL_SCHEME
         value: https
       - name: FORWARDED_ALLOW_IPS
         value: "*"
       - name: AIRFLOW__LOGGING__FAB_LOGGING_LEVEL
         value: "DEBUG"
   
     apiServerConfig: ~
     apiServerConfigConfigMapName: airflow-api-server-config
   
   ```
   
   ### Docker Image customizations
   
   _No response_
   
   ### Anything else?
   
   - Azure credentials stored in K8s secret airflow-azure-oidc (values 
redacted).
   - webserver_config.py mounted from ConfigMap airflow-api-server-config at 
/opt/airflow/webserver_config.py.
   - Login URL: 
https://domain.company.com/auth/login/?next=https://domain.company.com/
   - In pod: AZ_* env vars present (len 36/36/41), manual webserver_config.py 
load returns AUTH_TYPE=4, but UI shows only Username/Password form.
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to