ahipp13 opened a new issue, #27973: URL: https://github.com/apache/airflow/issues/27973
### Apache Airflow version 2.4.3 ### What happened We have enabled Microsoft Azure OAuth for our Airflow implementation. When we try to log in, we get a CSRF error: [2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response. ││ airflow-web [2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing OAuth access token: mismatching_state: CSRF Warning! State not equal in request and response. We have taken a look at both the sending and receiving URLs in the browser and the state is the exact same. Down below are pictures of the state for the request and response: ![2022-11-28_16-22-46](https://user-images.githubusercontent.com/118911990/204394405-2e7a0029-9b18-4090-89e6-52a5a41dc25d.png) ![2022-11-28_16-26-24](https://user-images.githubusercontent.com/118911990/204394418-d2603bbf-6668-4fda-ad75-58fce46c3d44.png) ### What you think should happen instead We should be able to log into our Airflow application. We had the exact same setup using Airflow 2.2.5 and everything worked just fine. ### How to reproduce Down below is a copy of our webserver_config.py. We are currently running Airflow 2.4.3 on Kubernetes with the Airflow Community helm chart version 8.6.1 (located here: https://github.com/airflow-helm/charts). We are also using a postgres external database as our metadata db. ``` from flask_appbuilder.security.manager import AUTH_OAUTH from airflow.www.security import AirflowSecurityManager import logging from typing import Dict, Any, List, Union import os import sys #Add this as a module to pythons path sys.path.append('/opt/airflow') log = logging.getLogger(__name__) log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "DEBUG")) class AzureCustomSecurity(AirflowSecurityManager): # In this example, the oauth provider == 'azure'. # If you ever want to support other providers, see how it is done here: # https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550 def get_oauth_user_info(self, provider, resp): # Creates the user info payload from Azure. # The user previously allowed your app to act on their behalf, # so now we can query the user and teams endpoints for their data. # Username and team membership are added to the payload and returned to FAB. if provider == "azure": log.debug("Azure response received : {0}".format(resp)) id_token = resp["id_token"] log.debug(str(id_token)) me = self._azure_jwt_token_parse(id_token) log.debug("Parse JWT token : {0}".format(me)) return { "name": me.get("name", ""), "email": me["upn"], "first_name": me.get("given_name", ""), "last_name": me.get("family_name", ""), "id": me["oid"], "username": me["oid"], "role_keys": me.get("roles", []), } # Adding this in because if not the redirect url will start with http and we want https os.environ["AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX"] = "True" WTF_CSRF_ENABLED = False CSRF_ENABLED = False AUTH_TYPE = AUTH_OAUTH AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login # Make sure to replace this with the path to your security manager class FAB_SECURITY_MANAGER_CLASS = "webserver_config.AzureCustomSecurity" # a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles AUTH_ROLES_MAPPING = { "airflow_dev_admin": ["Admin"], "airflow_dev_op": ["Op"], "airflow_dev_user": ["User"], "airflow_dev_viewer": ["Viewer"] } # force users to re-auth after 30min of inactivity (to keep roles in sync) PERMANENT_SESSION_LIFETIME = 1800 # If you wish, you can add multiple OAuth providers. OAUTH_PROVIDERS = [ { "name": "azure", "icon": "fa-windows", "token_key": "access_token", "remote_app": { "client_id": "CLIENT_ID", "client_secret": 'AZURE_DEV_CLIENT_SECRET', "api_base_url": "https://login.microsoftonline.com/TENANT_ID", "request_token_url": None, 'request_token_params': { 'scope': 'openid email profile' }, "access_token_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "access_token_params": { 'scope': 'openid email profile' }, "authorize_url": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize", "authorize_params": { 'scope': 'openid email profile', }, 'jwks_uri':'https://login.microsoftonline.com/common/discovery/v2.0/keys', }, }, ] ``` ### Operating System Debian GNU/Linux 11 (bullseye) ### Versions of Apache Airflow Providers apache-airflow-providers-amazon==6.0.0 apache-airflow-providers-celery==3.0.0 apache-airflow-providers-cncf-kubernetes==4.4.0 apache-airflow-providers-common-sql==1.2.0 apache-airflow-providers-docker==3.2.0 apache-airflow-providers-elasticsearch==4.2.1 apache-airflow-providers-ftp==3.1.0 apache-airflow-providers-google==8.4.0 apache-airflow-providers-grpc==3.0.0 apache-airflow-providers-hashicorp==3.1.0 apache-airflow-providers-http==4.0.0 apache-airflow-providers-imap==3.0.0 apache-airflow-providers-microsoft-azure==4.3.0 apache-airflow-providers-mysql==3.2.1 apache-airflow-providers-odbc==3.1.2 apache-airflow-providers-postgres==5.2.2 apache-airflow-providers-redis==3.0.0 apache-airflow-providers-sendgrid==3.0.0 apache-airflow-providers-sftp==4.1.0 apache-airflow-providers-slack==6.0.0 apache-airflow-providers-sqlite==3.2.1 apache-airflow-providers-ssh==3.2.0 ### Deployment Other 3rd-party Helm chart ### Deployment details We are currently running Airflow 2.4.3 on Kubernetes with the Airflow Community helm chart version 8.6.1 (located here: https://github.com/airflow-helm/charts). We are also using a postgres external database as our metadata db. ### Anything else This problem occurs every time we try to log into the Airflow Webserver using Azure OAuth. ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org