Keycloak: token via client_credentials flow

[ecodina]

Description

It may be useful to add a Keycloak auth manager endpoint where you could obtain a token using the client_credentials flow. The endpoint could be POST /token/client_credentials, where the user would specify the client_id and client_secret. The client should be available in the server_url configured in airflow.cfg.

The service account for the client used would have to be configured appropriately so the authorization server can perform the authorization.

I can prepare a PR adding this functionality, but before I do anything, I'd appreciate @bugraoz93 and @vincbeck feedback!

Use case/motivation

Airflow's API is very powerful. Right now it is designed to be used by an end user, but in some cases there is not an actual person running the requests. Instead, it is done by an automated service.

That's something I've seen we need in our organization when deploying Airflow 3.

For example:

• A monitoring service that queries runs
• A service that needs triggering Dags on-demand (maybe the backend of a web app has to run a Dag when a user inputs something)
• A Github Action that uploads a new Dag and then wants to unpause it and run it once
• ...

OAuth2 has the client_credentials flow designed for exactly these use cases. We could create a "fake user" and use the current endpoints, but it may make more sense to use this flow.

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[vincbeck]

I am totally up for it 👍

[bugraoz93]

Same here!
I would suggest to try airflowctl too to leverage API through automation and would be great to see what is needed more while we solidify the foundations :)