oauth create_token accessing session causes RuntimeError: Working outside of request context.

[Haapalaj]

Apache Airflow Provider(s)

fab

Versions of Apache Airflow Providers

Using:
airflow 3.1.5 (Image apache/airflow:3.1.5-python3.12
apache-airflow-providers-standard==1.10.1
apache-airflow-providers-snowflake==6.8.0
apache-airflow-providers-amazon==9.18.1
apache-airflow-providers-google==19.2.0
apache-airflow-providers-microsoft-azure==12.10.0
apache-airflow-providers-odbc==4.11.0
apache-airflow-providers-postgres==6.5.1
apache-airflow-providers-databricks==7.8.1
apache-airflow-task-sdk==1.1.5
apache-airflow-providers-fab==3.1.0

python3.12

Apache Airflow version

3.1.5

Operating System

Debian GNU/Linux 12 (bookworm)

Deployment

Docker-Compose

Deployment details

Docker version 28.5.1, build e180ab8

What happened

For getting the airflow api/v2 authentication token without user credentials (password and username), instead with user jwt token.
We need to implement the create_token somewhat like in this doc:

https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/token.html

If trying out that example, these parts will fail:

user = self.security_manager.auth_user_oauth(userinfo)

login_user(user, remember=False)

Both fails with:

File "/home/airflow/.local/lib/python3.12/site-packages/werkzeug/local.py", line 513, in _get_current_object
   raise RuntimeError(unbound_message) from None
RuntimeError: Working outside of request context.

In details that seems to happen when trying to access or change the "session".
Session is: "from flask import session"

The self.security_manager.auth_user_oauth(userinfo)
will try to rotate the session id with the securitymanager:
_rotate_session_id()
Which fails in: session.sid = str(uuid.uuid4())

And the "login_user(user, remember=False)" tryes to change the session also, failing to same.

Instead of "self.security_manager.auth_user_oauth(userinfo)"
We tested using:

from flask import fcurrent_app
current_app.appbuilder.sm.auth_user_oauth(userinfo)

It will fail to same.

After trying out to get the user without accessing the session, so
skipping the _rotate_session_id and login_user, it actually returns the user with the api token that works against the airflow api v2.
But is that example https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/token.html
then wrong?

The override is configured as:
export AIRFLOW__CORE__AUTH_MANAGER='airflow.contrib.auth.backends.fab_auth_manager_override.TheOverrideFabAuthManager'

What you think should happen instead

These
user = self.security_manager.auth_user_oauth(userinfo)

login_user(user, remember=False)
Should not fail, the user should be returned.

How to reproduce

Implement the Fab oauth create_token override by the doc:
https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/token.html

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[KH-Coder865]

This happens because auth_user_oauth and login_user require an active Flask request context to access the session. Outside a request (e.g., CLI or background task), they fail with “Working outside of request context.” Wrapping the calls in app.app_context() and app.test_request_context() or skipping session-related calls when generating tokens programmatically resolves the issue. The docs example assumes a request context, which isn’t always present.

[KH-Coder865]

I'd like to contribute to it.

[Haapalaj]

For skipping the rotate_session_id, seems that it needs override the securitymanager. That's Ok,
but there it needs to override the private method, which isn't good:
FabAirflowSecurityManagerOverride._rotate_session_id(self)

Propably the self.security_manager.auth_user_oauth(userinfo)
should have some kind of rotate_session_id=False option also.

[KH-Coder865]

I agree that directly overriding a private method isn’t ideal. A better approach might be to add an optional parameter, like rotate_session_id=False, to auth_user_oauth(). That way, session rotation can be safely skipped when generating tokens outside a request context, without touching private methods. I’d be happy to contribute a PR to implement this.

[jroachgolf84]

@KH-Coder865, please feel free to create a PR for this issue!

[jscheffl]

I assume this is already fixed with #59355 - but not released yet?

[vincbeck]

It has now been released. Closing the issue.