Fix DAG-level RBAC by using claim_token per UMA spec (#61137)#61283
Merged
bugraoz93 merged 5 commits intoapache:mainfrom Feb 5, 2026
Merged
Fix DAG-level RBAC by using claim_token per UMA spec (#61137)#61283bugraoz93 merged 5 commits intoapache:mainfrom
bugraoz93 merged 5 commits intoapache:mainfrom
Conversation
n-badtke-cg
reviewed
Feb 2, 2026
There was a problem hiding this comment.
lgtm
EDIT: Is a bump of the version number already needed with this PR? https://github.com/apache/airflow/blob/main/providers/keycloak/src/airflow/providers/keycloak/__init__.py#L32
n-badtke-cg
approved these changes
Feb 2, 2026
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Outdated
Show resolved
Hide resolved
|
I tested the changes locally and can confirm that it works as expected - thanks a lot for the quick implementation. Small nit on your example in the PR, the id of the requested dag is in key |
vincbeck
reviewed
Feb 2, 2026
Contributor
vincbeck
left a comment
vincbeck
left a comment
There was a problem hiding this comment.
Thanks for fixing that issue. I added some comments, also, can you update/create test to cover that?
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Outdated
Show resolved
Hide resolved
Ensure consistent JSON key ordering by using sort_keys=True in json.dumps() when generating claim_token for UMA ticket requests. This fixes test failures caused by non-deterministic dictionary ordering in Python. The claim_token is base64-encoded JSON, so consistent key ordering is required for test assertions and predictable behavior.
- Fix documentation URL anchor from #_service_authorization_pushing_claims to #_service_pushing_claims - Remove changelog entry as requested by release manager - Add comprehensive parametrized tests for _get_payload method covering claim_token functionality
y-sudharshan
force-pushed
the
fix-keycloak-dag-rbac-61137
branch
from
3ce9b7c to
522ef10
Compare
bugraoz93
reviewed
Feb 2, 2026
Contributor
bugraoz93
left a comment
bugraoz93
left a comment
There was a problem hiding this comment.
Still a quite bit of CI failing. Could you please check?
y-sudharshan
force-pushed
the
fix-keycloak-dag-rbac-61137
branch
from
8c7cb34 to
d71e45e
Compare
ddroessler-ext
approved these changes
Feb 3, 2026
vincbeck
approved these changes
Feb 5, 2026
bugraoz93
approved these changes
Feb 5, 2026
|
🥳 |
jhgoebbert
pushed a commit
to jhgoebbert/airflow_Owen-CH-Leung
that referenced
this pull request
Feb 8, 2026
* Fix DAG-level RBAC by using claim_token per UMA spec (apache#61137) * Fix claim_token ordering in Keycloak auth manager Ensure consistent JSON key ordering by using sort_keys=True in json.dumps() when generating claim_token for UMA ticket requests. This fixes test failures caused by non-deterministic dictionary ordering in Python. The claim_token is base64-encoded JSON, so consistent key ordering is required for test assertions and predictable behavior. * Address review comments: fix doc URL, remove changelog, add tests - Fix documentation URL anchor from #_service_authorization_pushing_claims to #_service_pushing_claims - Remove changelog entry as requested by release manager - Add comprehensive parametrized tests for _get_payload method covering claim_token functionality
Contributor
Author
Thanks! |
81 tasks
Ratasa143
pushed a commit
to Ratasa143/airflow
that referenced
this pull request
Feb 15, 2026
* Fix DAG-level RBAC by using claim_token per UMA spec (apache#61137) * Fix claim_token ordering in Keycloak auth manager Ensure consistent JSON key ordering by using sort_keys=True in json.dumps() when generating claim_token for UMA ticket requests. This fixes test failures caused by non-deterministic dictionary ordering in Python. The claim_token is base64-encoded JSON, so consistent key ordering is required for test assertions and predictable behavior. * Address review comments: fix doc URL, remove changelog, add tests - Fix documentation URL anchor from #_service_authorization_pushing_claims to #_service_pushing_claims - Remove changelog entry as requested by release manager - Add comprehensive parametrized tests for _get_payload method covering claim_token functionality
choo121600
pushed a commit
to choo121600/airflow
that referenced
this pull request
Feb 22, 2026
* Fix DAG-level RBAC by using claim_token per UMA spec (apache#61137) * Fix claim_token ordering in Keycloak auth manager Ensure consistent JSON key ordering by using sort_keys=True in json.dumps() when generating claim_token for UMA ticket requests. This fixes test failures caused by non-deterministic dictionary ordering in Python. The claim_token is base64-encoded JSON, so consistent key ordering is required for test assertions and predictable behavior. * Address review comments: fix doc URL, remove changelog, add tests - Fix documentation URL anchor from #_service_authorization_pushing_claims to #_service_pushing_claims - Remove changelog entry as requested by release manager - Add comprehensive parametrized tests for _get_payload method covering claim_token functionality
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix DAG-level RBAC by using claim_token per UMA specification
closes: #61137
Description
This PR fixes a bug in the Keycloak Auth Manager where context attributes (such as
dag_id) were not being properly transmitted to Keycloak during authorization requests, preventing DAG-level RBAC policies from functioning.Problem
When attempting to configure DAG-level authorization policies in Keycloak, the
dag_idand other context attributes were not available to JavaScript-based policies. Network traces showed that instead of sending the actual attribute values, the literal stringcontext=attributeswas being transmitted in the authorization request.Root Cause:
The original implementation used a non-standard
contextparameter with a nested dictionary:This approach failed because:
requestslibrarycontextparameter for authorization requestsSolution
Implemented the correct UMA specification for pushing claims to Keycloak by using the
claim_tokenparameter:Key changes:
claim_tokenparameter instead ofcontext(per UMA spec)claim_token_formatparameterReference: Keycloak Authorization Services - Pushing Claims
Impact
After this fix:
dag_idand other context attributes are accessible in Keycloak policiesExample Keycloak policy that now works:
Testing
ruff formatandruff checkvalidationChanges Made
Modified files:
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py- Added
import base64- Updated
_get_payload()method to useclaim_tokenparameterproviders/keycloak/docs/changelog.rst- Added bug fix entry for version 0.5.2
Was generative AI tooling used to co-author this PR?
Generated-by: GitHub Copilot