Airflow UI initial XHR returns 401 before session cookie is set, and logout requires multiple attempts

[Guansy6688]

Apache Airflow version

3.0.6

If "Other Airflow 2 version" selected, which one?

No response

What happened?

When logging into the Airflow web UI (with LDAP / session-based auth), the very first batch of UI XHR requests (such as /ui/config, /ui/menus, /ui/plugins) often returns HTTP 401 Unauthorized, even though the user has just successfully logged in.

Immediately afterwards, once the browser receives and attaches the session cookie, subsequent requests succeed (200).

This causes a visible “401 Unauthorized” flash.

Additionally, logout is inconsistent:
Sometimes the user has to click “Log out” twice before being redirected properly.
Other times, the first logout attempt shows a 401 Unauthorized screen before eventually going back to the login page.

Please check the log below:
[2025-09-13T05:21:09.093+0000] [override.py:1439] INFO - Updated user YXXXXX
INFO: 192.168.98.118:39424 "POST /auth/login?next=https://${AIRFLOW_BASE_URL}/ HTTP/1.1" 302 Found
INFO: 192.168.98.118:39428 "GET / HTTP/1.1" 200 OK
INFO: 192.168.98.118:39424 "GET /static/assets/index-ChSlVY9k.js HTTP/1.1" 200 OK
INFO: EXTERNAP_IP:40836 "GET /api/v2/version HTTP/1.1" 200 OK
INFO: EXTERNAP_IP:40834 "GET /api/v2/version HTTP/1.1" 200 OK
INFO: 192.168.98.118:39428 "GET /ui/config HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:39428 "GET /auth/login?next=https%3A%2F%2F${AIRFLOW_BASE_URL}%2F HTTP/1.1" 307 Temporary Redirect
INFO: 192.168.98.118:39428 "GET /auth/login HTTP/1.1" 302 Found
INFO: 192.168.98.118:49298 "GET /ui/auth/menus HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49298 "GET /ui/plugins HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49298 "GET /ui/config HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49322 "GET /auth/login HTTP/1.1" 302 Found
INFO: 192.168.98.118:49322 "GET /api/v2/auth/login?next=https%3A%2F%2F${AIRFLOW_BASE_URL}%2F HTTP/1.1" 307 Temporary Redirect
INFO: 192.168.98.118:49322 "GET /auth/login?next=https%3A%2F%2F${AIRFLOW_BASE_URL}%2F HTTP/1.1" 307 Temporary Redirect
INFO: 192.168.98.118:49322 "GET /auth/login HTTP/1.1" 302 Found
INFO: 192.168.98.118:49318 "GET /ui/auth/menus HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49318 "GET /ui/plugins HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49318 "GET /ui/config HTTP/1.1" 401 Unauthorized
INFO: 192.168.98.118:49318 "GET /auth/login HTTP/1.1" 302 Found
INFO: 192.168.98.118:49318 "GET /auth/login?next=https%3A%2F%2F${AIRFLOW_BASE_URL}%2F HTTP/1.1" 307 Temporary Redirect
INFO: 192.168.98.118:49318 "GET /auth/login?next=https%3A%2F%2F${AIRFLOW_BASE_URL}%2F HTTP/1.1" 307 Temporary Redirect
INFO: 192.168.98.118:49318 "GET /auth/login HTTP/1.1" 302 Found
INFO: 192.168.98.118:49322 "GET / HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /static/assets/index-ChSlVY9k.js HTTP/1.1" 200 OK
INFO: 192.168.118.67:35456 "POST /api/v1/dags/get_resources_quota/dagRuns HTTP/1.1" 405 Method Not Allowed
INFO: 192.168.98.118:59184 "POST /api/v1/dags/get_resources_quota/dagRuns HTTP/1.1" 405 Method Not Allowed
INFO: EXTERNAP_IP:57220 "GET /api/v2/version HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /api/v2/version HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /ui/config HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /ui/auth/menus HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /ui/plugins HTTP/1.1" 200 OK
INFO: 192.168.98.118:60610 "GET /api/v2/monitor/health HTTP/1.1" 200 OK
INFO: 192.168.98.118:49322 "GET /api/v2/plugins HTTP/1.1" 200 OK

What you think should happen instead?

401 Unauthorized screen should not be shown as the Signin/Logout is successful.

How to reproduce

1. Deploy Airflow 3.x with API server and LDAP authentication.
2. Open the login page in a browser.
3. Enter valid username and password, click Sign in.
4. Observe network tab in DevTools: first /ui/config often returns 401 before the cookie is applied.
5. After successful login, click Log out.
6. Sometimes it works immediately. Sometimes it flashes a 401 or requires pressing Log out a second time.

Operating System

Ubuntu

Versions of Apache Airflow Providers

No response

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else?

Everytime when users login, the 401 unauthorized screen shows before the home page.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[vincbeck]

The flash happening during authentication has been fixed in #57993. Also, a lot of fixes have been implemented in the latest versions which I am pretty confident fix the issues you encountered. Closing this issue. If you still experience the issue you are describing in this issue, feel free to reopen it.

[ywehrli]

I just upgraded to the latest Airflow version. I don't see the flashes anymore after the login.
BUT I stell have those unauthorized-views quickly flashing when Opening Airflow UI, before the actual sign in prompt actually appears.
Where is this coming from? I've been trying to find a solutions for a long time now. I'm using the helm chart to install airflow.

[vincbeck]

Could you please record this and post it here? Jut so that I can access whether it is normal or not

[vincbeck]

Because I do not experience these flashes

[ywehrli]

I still have to figure out how to get a propper recording. We're using Airflow 3.1.5.
After calling the URL for the login, we're seeing this page flashing for maybe one second:

After that there is the redirect to the login page where we can log in using our identity provider - everything works fine. Just that unauthorized page is very weird. I can also see the api server pod logging 401.

[ywehrli]

@vincbeck

Any idea?