JWT Token Generation Fails for LDAP Users in Airflow 3.0 with FAB Auth Manager #52103
Description
Apache Airflow Provider(s)
fab
Versions of Apache Airflow Providers
apache-airflow-providers-fab==2.2.0
Apache Airflow version
3.0.2
Operating System
OS: RHEL UBI9, python3.12, Auth Manager: FAB; Authentication Backend: LDAP
Deployment
Other Docker-based deployment
Deployment details
CloudFormation and AWS ECS
What happened
We were using Airflow 2.9.2 with LDAP authentication. Other services use LDAP credentials to authenticate and call Airflow API to trigger DAG.
Now we want to upgrade to Airflow 3.0.x with FAB auth manager and LDAP authentication, the JWT token generation endpoint /auth/token fails to authenticate LDAP users, even though these users can successfully log in through the web UI (token can be found in local storage).
Local Airflow users can generate JWT token successfully but we do not prefer using static credentials
What you think should happen instead
LDAP users should be able to generate JWT tokens via the /auth/token endpoint for programmatic access to Airflow APIs
How to reproduce
- Configure Airflow 3.0 with FAB auth manager and LDAP authentication
[Environment] AIRFLOW__CORE__AUTH_MANAGER=airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager AIRFLOW__FAB__AUTH_BACKENDS=airflow.providers.fab.auth_manager.api.auth.backend.session, airflow.providers.fab.auth_manager.api.auth.backend.basic_auth AIRFLOW__DATABASE__EXTERNAL_DB_MANAGERS=airflow.providers.fab.auth_manager.models.db.FABDBManager - Create an LDAP user and verify webUI login works
- Attempt to generate JWT token via API
/auth/tokenas describe here - Error 401 Unauthorized
Anything else
If the bug is legit, will it be fixed soon? can you provide some estimation?
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct