Skip to content

Logout the user when the token expires #60781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vincbeck merged 1 commit into from
Jan 20, 2026
Merged

Logout the user when the token expires #60781

vincbeck merged 1 commit into from
Jan 20, 2026
+99 −28

Conversation

@vincbeck
Copy link
Contributor

@vincbeck vincbeck commented Jan 19, 2026
edited
Loading

Resolves #59359

There are 2 scenarios:

  • If the Airflow JWT token is expired, then we should log out the user
  • With Keycloak auth manager, if the refresh token is expired, then we should also log out the user.

In both cases, the user as a invalid token and is should no longer be considered as logged-in.

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@vincbeck vincbeck requested a review from bugraoz93 as a code owner January 19, 2026 14:51
@ashb
Copy link
Member

ashb commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch from f60fe20 to d00ba97 Compare January 19, 2026 16:39
@vincbeck
Copy link
Contributor Author

vincbeck commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

Yep

@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 48a3a80 to ec29c5c Compare January 19, 2026 17:00
@vincbeck vincbeck requested a review from ashb January 19, 2026 17:00
@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 4cbbcc7 to ef1bb98 Compare January 19, 2026 18:10
@dheerajturaga
Copy link
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

@bugraoz93
Copy link
Contributor

bugraoz93 commented Jan 19, 2026
edited
Loading

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

It defaults to configuration for both execution and public api have different values. So admins should be able to change according to their security concerns and user behavior
For public api, it is 86400s.

airflow/airflow-core/src/airflow/config_templates/config.yml

Line 1706 in f2f1a08

jwt_expiration_time:

For execution api,

airflow/airflow-core/src/airflow/config_templates/config.yml

Line 1823 in f2f1a08

jwt_expiration_time:

@vincbeck
Copy link
Contributor Author

vincbeck commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

bugraoz93
bugraoz93 approved these changes Jan 19, 2026
View reviewed changes
Copy link
Contributor

@bugraoz93 bugraoz93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Vincent!

@dheerajturaga
Copy link
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

Ah! that's great! This makes sense

@vincbeck vincbeck mentioned this pull request Jan 19, 2026
Closed
2 tasks
@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch from ef1bb98 to e58ab2f Compare January 19, 2026 19:10
@dheerajturaga dheerajturaga self-requested a review January 19, 2026 19:12
@vincbeck vincbeck merged commit 9f0099f into apache:main Jan 20, 2026
128 checks passed
@vincbeck vincbeck deleted the vincbeck/keycloak_refresh branch January 20, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bugraoz93 bugraoz93 bugraoz93 approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@dheerajturaga dheerajturaga dheerajturaga approved these changes

@ashb ashb Awaiting requested review from ashb

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:providers provider:keycloak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Internal Server Error in Airflow API server with Keycloak provider when token is not active

5 participants

@vincbeck @ashb @dheerajturaga @bugraoz93 @pierrejeambrun