Keycloak provider infinitely redirects after login #56152
Description
Apache Airflow Provider(s)
keycloak
Versions of Apache Airflow Providers
apache-airflow-providers-keycloak==0.1.0
Apache Airflow version
3.1.0
Operating System
Ubuntu 24.04.1 LTS
Deployment
Virtualenv installation
Deployment details
Running Airflow in a plain Python virtual environment.
What happened
I recently upgraded my Airflow instance from 2.9 -> 3 and unfortunately Airflow 3 breaks existing custom integrations with Keycloak (#51362), so I decided to try out the new official Keycloak provider per the documentation here: https://airflow.apache.org/docs/apache-airflow-providers-keycloak/stable/auth-manager/setup/config.html .
I installed the provider and updated my airflow.cfg like so as directed by the documentation:
[core]
...
auth_manager = airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager
...
[keycloak_auth_manager]
client_id = MY_KEYCLOAK_AIRFLOW_CLIENT_ID
client_secret = MY_KEYCLOAK_AIRFLOW_CLIENT_SECRET
realm = MY_CLIENT_REALM
server_url = https://my.keycloak.instance.com
Additionally, my Keycloak user has the "Admin" role assigned to it from the MY_KEYCLOAK_AIRFLOW_CLIENT_ID.
I then logged out of Keycloak to start fresh and restarted my Airflow api-server and accessed my Airflow UI.
Upon accessing my Airflow UI, it redirects to the Keycloak login form and I logged into my user account. All good so far.
Next it redirects back to the Airflow instance. Immediately it starts infinitely redirecting in a loop with these logs (replaced UUIDs/other identifying info):
...
INFO: MY_IP - "GET / HTTP/1.1" 200 OK
INFO: MY_IP - "GET /ui/config HTTP/1.1" 401 Unauthorized
INFO: MY_IP - "GET /api/v2/auth/login?next=http%3A%2F%2Fmy.airflow.instance%3A9010%2F HTTP/1.1" 307 Temporary Redirect
INFO: MY_IP - "GET /auth/login?next=http://my.airflow.instance:9010/ HTTP/1.1" 307 Temporary Redirect
INFO: MY_IP - "GET /auth/login_callback?state=&session_state=UUID&iss=https%3A%2F%2Fmy.keycloak.instance.com%2Frealms%2FMY_CLIENT_REALM&code=UUID_2.UUID.UUID_3 HTTP/1.1" 303 See Other
INFO: MY_IP - "GET / HTTP/1.1" 200 OK
INFO: MY_IP - "GET /ui/config HTTP/1.1" 401 Unauthorized
INFO: MY_IP - "GET /api/v2/auth/login?next=http%3A%2F%2Fmy.airflow.instance%3A9010%2F HTTP/1.1" 307 Temporary Redirect
INFO: MY_IP - "GET /auth/login?next=http://my.airflow.instance:9010/ HTTP/1.1" 307 Temporary Redirect
INFO: MY_IP - "GET /auth/login_callback?state=&session_state=UUID&iss=https%3A%2F%2Fmy.keycloak.instance.com%2Frealms%2FMY_CLIENT_REALM&code=UUID_4.UUID.UUID_3 HTTP/1.1" 303 See Other
...
In the meantime I am going back to using my custom FAB <-> Keycloak auth implementation but it only works for the UI. My custom API auth integration is still broken by Airflow 3 unfortunately, so when I use the API I have to use basic auth with a synthetic Airflow user created via the CLI.
What you think should happen instead
After logging into my Keycloak account with the proper "Admin" role, Airflow should take me to my instance's home page instead of redirecting infinitely.
How to reproduce
- Run Airflow 3.1.0 inside a virtual environment (with Python 3.10)
- Install the apache-airflow-providers-keycloak==0.1.0 package
- Set up your airflow.cfg to point to your Keycloak instance and the proper client id/secret
- Run Airflow, access the web UI of the instance, get redirected to Keycloak, log into your user, get redirected back to Airflow, and expect infinite redirects to start taking place.
Anything else
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct