From a582efcda265968d94e4095e80161423471f8185 Mon Sep 17 00:00:00 2001
From: vincbeck <vincbeck@amazon.com>
Date: Thu, 6 Nov 2025 10:53:15 -0500
Subject: [PATCH] Add `LIST` permission to admin role in Keycloak auth manager

---
 .../providers/keycloak/auth_manager/cli/commands.py    |  3 ++-
 .../keycloak/auth_manager/keycloak_auth_manager.py     |  1 +
 .../unit/keycloak/auth_manager/cli/test_commands.py    | 10 ++++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
index d19693b81cc42..9ab2c9d879204 100644
--- a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
+++ b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
@@ -179,7 +179,8 @@ def _create_read_only_permission(client: KeycloakAdmin, client_uuid: str):
 
 def _create_admin_permission(client: KeycloakAdmin, client_uuid: str):
     all_scopes = client.get_client_authz_scopes(client_uuid)
-    scopes = [scope["id"] for scope in all_scopes if scope["name"] in get_args(ExtendedResourceMethod)]
+    scope_names = get_args(ExtendedResourceMethod) + ("LIST",)
+    scopes = [scope["id"] for scope in all_scopes if scope["name"] in scope_names]
     payload = {
         "name": "Admin",
         "type": "scope",
diff --git a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
index 5d42c8bb160b5..e5a5eb35a72cf 100644
--- a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
+++ b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
@@ -112,6 +112,7 @@ def get_url_login(self, **kwargs) -> str:
 
     def refresh_user(self, *, user: KeycloakAuthManagerUser) -> KeycloakAuthManagerUser | None:
         if self._token_expired(user.access_token):
+            log.debug("Refreshing the token")
             client = self.get_keycloak_client()
             tokens = client.refresh_token(user.refresh_token)
             user.refresh_token = tokens["refresh_token"]
diff --git a/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py b/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
index 4ead9a3ef6878..f8767164f53ba 100644
--- a/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
+++ b/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
@@ -277,7 +277,13 @@ def test_create_permissions_read_only(self):
 
     def test_create_permissions_admin(self):
         client = Mock()
-        scopes = [{"id": "1", "name": "GET"}, {"id": "2", "name": "MENU"}, {"id": "3", "name": "PUT"}]
+        scopes = [
+            {"id": "1", "name": "GET"},
+            {"id": "2", "name": "MENU"},
+            {"id": "3", "name": "PUT"},
+            {"id": "4", "name": "LIST"},
+            {"id": "5", "name": "DUMMY"},
+        ]
 
         client.get_client_authz_scopes.return_value = scopes
 
@@ -291,7 +297,7 @@ def test_create_permissions_admin(self):
                 "type": "scope",
                 "logic": "POSITIVE",
                 "decisionStrategy": "UNANIMOUS",
-                "scopes": ["1", "2", "3"],
+                "scopes": ["1", "2", "3", "4"],
             },
         )