Spinner instad or error message when authentication flow waits#58037
Closed
anjo0511 wants to merge 6 commits intoapache:mainfrom
Closed
Spinner instad or error message when authentication flow waits#58037anjo0511 wants to merge 6 commits intoapache:mainfrom
anjo0511 wants to merge 6 commits intoapache:mainfrom
Conversation
anjo0511
requested review from
bbovenzi,
guan404ming,
pierrejeambrun,
ryanahamilton and
shubhamraj-git
as code owners
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
|
anjo0511
changed the title
Member
|
Could you help
thanks! |
guan404ming
reviewed
Nov 12, 2025
Member
guan404ming
left a comment
guan404ming
left a comment
There was a problem hiding this comment.
Looks nice, needs some update
anjo0511
requested review from
BasPH,
Lee-W,
ashb,
bugraoz93,
hussein-awala,
jason810496,
jscheffl,
mobuchowski,
potiuk,
romsharon98,
shahar1,
vatsrahul1001 and
vincbeck
as code owners
bugraoz93
previously approved these changes
Nov 17, 2025
Contributor
|
My stamp more on implementation and Turkish translation. I think we might need more eyes on this one |
Member
|
Agreed. Commiters: lets not merge this until we've had more eyes on the translations. |
bugraoz93
dismissed
their stale review
Revoking approval to not cause any ambiguity. I agree to delete translations
jscheffl
reviewed
Nov 17, 2025
pierrejeambrun
changed the title
pierrejeambrun
added
the
backport-to-v3-1-test
Member
There was a problem hiding this comment.
Closing this because it's stale. More info are required on the linked issue before we can merge this (because it really shouldn't be needed, so I suspect the root cause might be missed) . This PR looks fine and we can re-open if it appears to be the necessary fix.
Jgprog117
added a commit
to Jgprog117/airflow
that referenced
this pull request
Jan 31, 2026
Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
Jgprog117
added a commit
to Jgprog117/airflow
that referenced
this pull request
Jan 31, 2026
Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
vincbeck
pushed a commit
that referenced
this pull request
Feb 2, 2026
#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes #57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR #58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - #55612 - Airflow UI initial XHR returns 401 before session cookie is set - #57534 - Airflow 3.1.1 oauth login failure - #57485 - Airflow 3.1.1 oauth login broken - PR #58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
jason810496
pushed a commit
to abhijeets25012-tech/airflow
that referenced
this pull request
Feb 3, 2026
apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
Alok-kumar-priyadarshi
pushed a commit
to Alok-kumar-priyadarshi/airflow
that referenced
this pull request
Feb 5, 2026
apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
jhgoebbert
pushed a commit
to jhgoebbert/airflow_Owen-CH-Leung
that referenced
this pull request
Feb 8, 2026
apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
81 tasks
Ratasa143
pushed a commit
to Ratasa143/airflow
that referenced
this pull request
Feb 15, 2026
apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Show a localized "Authenticating..." spinner instead of briefly rendering an authentication error during OAuth SSO redirects.
What changed
error.authenticatingi18n key and displays a spinner when the UI detects an OAuth/login flow.error.authenticatingtranslations to several localecommon.jsonfiles.closes: #57981
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.