Fix OAuth session race condition causing false 401 errors during login by Jgprog117 · Pull Request #61287 · apache/airflow

Jgprog117 · 2026-01-31T12:43:05Z

When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes.

Root Cause:
The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors.

Solution:
This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix:

Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class
Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes
Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView

This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition.

The fix addresses the root cause as suggested by maintainer feedback on PR #58037, rather than masking the error in the UI.

Testing:

Syntax validated with py_compile
Works with both session backends (database and securecookie)
Maintains backward compatibility with existing OAuth flows

Related Issues:

Airflow UI initial XHR returns 401 before session cookie is set, and logout requires multiple attempts #55612 - Airflow UI initial XHR returns 401 before session cookie is set
Airflow 3.1.1 oauth login failure #57534 - Airflow 3.1.1 oauth login failure
Airflow 3.1.1 oauth login broken #57485 - Airflow 3.1.1 oauth login broken
PR Spinner instad or error message when authentication flow waits #58037 - Previous UI-based workaround attempt (closed)

Was generative AI tooling used to co-author this PR?

[ X] Yes (please specify the tool below)
Claude code was to fetch additional information regarding the issue and to document the solution.

Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
When adding dependency, check compliance with the ASF 3rd Party License Policy.
For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>

Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file

SameerMesiah97

The overall approach is solid. But it just needs a few refinements.

providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py

providers/fab/tests/unit/fab/auth_manager/views/test_auth_oauth.py

- Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test

Jgprog117 · 2026-02-02T09:02:37Z

@SameerMesiah97

Good comments, amended PR with your improvements. Thanks :)

Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context.

SameerMesiah97 · 2026-02-02T22:30:24Z

@vincbeck

Looks good to me.

boring-cyborg · 2026-02-02T23:12:56Z

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>

vincbeck · 2026-02-16T16:39:36Z

This PR might have introduced a bug, can you please take a look at #62028?

apache#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes apache#57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR apache#58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - apache#55612 - Airflow UI initial XHR returns 401 before session cookie is set - apache#57534 - Airflow 3.1.1 oauth login failure - apache#57485 - Airflow 3.1.1 oauth login broken - PR apache#58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>

Jgprog117 requested a review from vincbeck as a code owner January 31, 2026 12:43

boring-cyborg bot added area:providers provider:fab labels Jan 31, 2026

Jgprog117 added 3 commits January 31, 2026 18:13

Fix logging to use %-formatting instead of f-strings

228a29d

Add tests for CustomAuthOAuthView

4480437

SameerMesiah97 reviewed Feb 1, 2026

View reviewed changes

vincbeck approved these changes Feb 2, 2026

View reviewed changes

Jgprog117 and others added 2 commits February 2, 2026 16:39

Fix test RuntimeError by avoiding Flask session LocalProxy access

f7a8fef

Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context.

Merge branch 'main' into fix-oauth-session-race-condition-57981

65509fe

vincbeck requested a review from SameerMesiah97 February 2, 2026 16:44

SameerMesiah97 approved these changes Feb 2, 2026

View reviewed changes

vincbeck merged commit 2ebec16 into apache:main Feb 2, 2026
86 checks passed

shahar1 mentioned this pull request Feb 11, 2026

Status of testing Providers that were prepared on February 10, 2026 #61766

Closed

81 tasks

csp33 mentioned this pull request Feb 16, 2026

[FAB] Invalid OAuth login with airflow-providers-fab==3.3.0 #62028

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

Fix OAuth session race condition causing false 401 errors during login#61287

Fix OAuth session race condition causing false 401 errors during login#61287
vincbeck merged 7 commits intoapache:mainfrom
Jgprog117:fix-oauth-session-race-condition-57981

Jgprog117 commented Jan 31, 2026

Uh oh!

SameerMesiah97 left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Jgprog117 commented Feb 2, 2026

Uh oh!

SameerMesiah97 commented Feb 2, 2026

Uh oh!

Uh oh!

boring-cyborg bot commented Feb 2, 2026

Uh oh!

vincbeck commented Feb 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

Conversation

Jgprog117 commented Jan 31, 2026

Was generative AI tooling used to co-author this PR?

Uh oh!

SameerMesiah97 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Jgprog117 commented Feb 2, 2026

Uh oh!

SameerMesiah97 commented Feb 2, 2026

Uh oh!

Uh oh!

boring-cyborg bot commented Feb 2, 2026

Uh oh!

vincbeck commented Feb 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants