Keycloak provider gives 500 on expired access token

[Ilardi]

Apache Airflow version

Other Airflow 2/3 version (please specify below)

If "Other Airflow 2/3 version" selected, which one?

3.1.4

What happened?

I have the same issue described in #56614.
When i make a request to the Airflow API using a valid Airflow token that contains an expired access token from Keycloak i receive a 500 internal server error instead of 401/403 or such. I thought the issue would be fixed in 3.1.4 but apparently it is not.

What you think should happen instead?

The application should not raise an exception but it should handle it with an appropriate http response code.

How to reproduce

1. Create a token at /auth/token
2. Wait 5 minutes (or whatever the access token expiration date is) and make a request to the Airflow API using that token

Operating System

Ubuntu 24.04.1 LTS

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

I use this Dockerfile to build a custom image:
FROM apache/airflow:3.1.4
USER airflow
COPY requirements.txt /
RUN pip install --no-cache-dir "apache-airflow==${AIRFLOW_VERSION}" -r /requirements.txt


The package installed from requirements is apache-airflow-providers-keycloak
I am using keycloak:26.4.0

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[vincbeck]

The issue is slightly different here. #56614 is about UI and the issue you are describing now is related to the API. But regardless, both should work :) I'll look into it

[vincbeck]

#59281

[vincbeck]

Another question, what should be the desired behavior? Returning 403 or refreshing the token?

[Ilardi]

I am not sure about this, but i think that since airflow has its own /auth/token endpoint, a request made with a valid Airflow token should be treated as valid regardless of the access_token expiration. Basically my idea was that an API (or UI) user should not care about what authentication manager is used.

[bugraoz93]

I am not sure about this, but i think that since airflow has its own /auth/token endpoint, a request made with a valid Airflow token should be treated as valid regardless of the access_token expiration. Basically my idea was that an API (or UI) user should not care about what authentication manager is used.

I think this could be a problem and possibly blocking a security mitigation. Normally, a token or a session should be able to invalidated/blocked which in this case admins should be able to invaltidate a session or a token when it is leaked. If you have a token working for Airflow which is leaked, you can never invalidate unless it is expired from Keycloak. Even if we have the auth flow, if you are using an 3rd party tooling, I think we should leave the management to the tool. Otherwise it could be unmanagable and can open backdoors