ahipp13 opened a new issue, #27973:
URL: https://github.com/apache/airflow/issues/27973
### Apache Airflow version
2.4.3
### What happened
We have enabled Microsoft Azure OAuth for our Airflow implementation. When
we try to log in, we get a CSRF error:
[2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing OAuth
access token: mismatching_state: CSRF Warning! State not equal in request and
response. ││
airflow-web [2022-11-28 22:04:58,744] {views.py:659} ERROR - Error authorizing
OAuth access token: mismatching_state: CSRF Warning! State not equal in request
and response.
We have taken a look at both the sending and receiving URLs in the browser
and the state is the exact same. Down below are pictures of the state for the
request and response:
### What you think should happen instead
We should be able to log into our Airflow application. We had the exact same
setup using Airflow 2.2.5 and everything worked just fine.
### How to reproduce
Down below is a copy of our webserver_config.py. We are currently running
Airflow 2.4.3 on Kubernetes with the Airflow Community helm chart version 8.6.1
(located here: https://github.com/airflow-helm/charts). We are also using a
postgres external database as our metadata db.
```
from flask_appbuilder.security.manager import AUTH_OAUTH
from airflow.www.security import AirflowSecurityManager
import logging
from typing import Dict, Any, List, Union
import os
import sys
#Add this as a module to pythons path
sys.path.append('/opt/airflow')
log = logging.getLogger(__name__)
log.setLevel(os.getenv("AIRFLOW__LOGGING__FAB_LOGGING_LEVEL", "DEBUG"))
class AzureCustomSecurity(AirflowSecurityManager):
# In this example, the oauth provider == 'azure'.
# If you ever want to support other providers, see how it is done here:
#
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L550
def get_oauth_user_info(self, provider, resp):
# Creates the user info payload from Azure.
# The user previously allowed your app to act on their behalf,
# so now we can query the user and teams endpoints for their data.
# Username and team membership are added to the payload and returned
to FAB.
if provider == "azure":
log.debug("Azure response received : {0}".format(resp))
id_token = resp["id_token"]
log.debug(str(id_token))
me = self._azure_jwt_token_parse(id_token)
log.debug("Parse JWT token : {0}".format(me))
return {
"name": me.get("name", ""),
"email": me["upn"],
"first_name": me.get("given_name", ""),
"last_name": me.get("family_name", ""),
"id": me["oid"],
"username": me["oid"],
"role_keys": me.get("roles", []),
}
# Adding this in because if not the redirect url will start with http and we
want https
os.environ["AIRFLOW__WEBSERVER__ENABLE_PROXY_FIX"] = "True"
WTF_CSRF_ENABLED = False
CSRF_ENABLED = False
AUTH_TYPE = AUTH_OAUTH
AUTH_ROLES_SYNC_AT_LOGIN = True # Checks roles on every login
# Make sure to replace this with the path to your security manager class
FAB_SECURITY_MANAGER_CLASS = "webserver_config.AzureCustomSecurity"
# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
AUTH_ROLES_MAPPING = {
"airflow_dev_admin": ["Admin"],
"airflow_dev_op": ["Op"],
"airflow_dev_user": ["User"],
"airflow_dev_viewer": ["Viewer"]
}
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
# If you wish, you can add multiple OAuth providers.
OAUTH_PROVIDERS = [
{
"name": "azure",
"icon": "fa-windows",
"token_key": "access_token",
"remote_app": {
"client_id": "CLIENT_ID",
"client_secret": 'AZURE_DEV_CLIENT_SECRET',
"api_base_url": "https://login.microsoftonline.com/TENANT_ID";,
"request_token_url": None,
'request_token_params': {
'scope': 'openid email profile'
},
"access_token_url":
"https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token";,
"access_token_params": {
'scope': 'openid email profile'
},
"authorize_url":
"https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize";,
"authorize_params": {
'scope': 'openid email profile',
},
'jwks_uri':'https://login.microsoftonline.com/common/discovery/v2.0/keys',
},
},
]
```
### Operating System
Debian GNU/Linux 11 (bullseye)
### Versions of Apache Airflow Providers
apache-airflow-providers-amazon==6.0.0
apache-airflow-providers-celery==3.0.0
apache-airflow-providers-cncf-kubernetes==4.4.0
apache-airflow-providers-common-sql==1.2.0
apache-airflow-providers-docker==3.2.0
apache-airflow-providers-elasticsearch==4.2.1
apache-airflow-providers-ftp==3.1.0
apache-airflow-providers-google==8.4.0
apache-airflow-providers-grpc==3.0.0
apache-airflow-providers-hashicorp==3.1.0
apache-airflow-providers-http==4.0.0
apache-airflow-providers-imap==3.0.0
apache-airflow-providers-microsoft-azure==4.3.0
apache-airflow-providers-mysql==3.2.1
apache-airflow-providers-odbc==3.1.2
apache-airflow-providers-postgres==5.2.2
apache-airflow-providers-redis==3.0.0
apache-airflow-providers-sendgrid==3.0.0
apache-airflow-providers-sftp==4.1.0
apache-airflow-providers-slack==6.0.0
apache-airflow-providers-sqlite==3.2.1
apache-airflow-providers-ssh==3.2.0
### Deployment
Other 3rd-party Helm chart
### Deployment details
We are currently running Airflow 2.4.3 on Kubernetes with the Airflow
Community helm chart version 8.6.1 (located here:
https://github.com/airflow-helm/charts). We are also using a postgres external
database as our metadata db.
### Anything else
This problem occurs every time we try to log into the Airflow Webserver
using Azure OAuth.
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
