Fix OAuth session race condition causing false 401 errors during login

providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py

@@ -51,7 +51,6 @@
 from flask_appbuilder.security.views import (
     AuthDBView,
     AuthLDAPView,
-    AuthOAuthView,
     AuthRemoteUserView,
     AuthView,
     RegisterUserModelView,
@@ -81,6 +80,7 @@
 )
 from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
 from airflow.providers.fab.auth_manager.security_manager.constants import EXISTING_ROLES
+from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView
 from airflow.providers.fab.auth_manager.views.permissions import (
     ActionModelView,
     PermissionPairModelView,
@@ -187,8 +187,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """ Override if you want your own Authentication DB view """
     authldapview = AuthLDAPView
     """ Override if you want your own Authentication LDAP view """
-    authoauthview = AuthOAuthView
-    """ Override if you want your own Authentication OAuth view """
+    authoauthview = CustomAuthOAuthView
+    """ Custom Authentication OAuth view with session commit fix for #57981 """
     authremoteuserview = AuthRemoteUserView
     """ Override if you want your own Authentication REMOTE_USER view """
     registeruserdbview = RegisterUserDBView

providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py

@@ -0,0 +1,72 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Custom OAuth authentication view to fix session timing race condition."""
+
+from __future__ import annotations
+
+import logging
+
+from flask import session
+from flask_appbuilder.security.views import AuthOAuthView
+
+from airflow.configuration import conf
+
+log = logging.getLogger(__name__)
+
+
+class CustomAuthOAuthView(AuthOAuthView):
+    """
+    Custom OAuth authentication view that ensures session is committed before redirect.
+
+    Fixes issue #57981 where UI requests fail with 401 during OAuth flow because
+    the Flask session is not yet committed when the redirect response is sent.
+    """
+
+    def oauth_authorized(self, provider):
+        """
+        OAuth callback handler that explicitly commits session before redirect.
+
+        This method overrides the parent's oauth_authorized to ensure that the
+        Flask session (containing OAuth tokens and user authentication) is fully
+        committed to the session backend (cookie or database) before redirecting
+        the user to the UI.
+
+        This prevents the race condition where the UI makes API requests before
+        the session is available, causing temporary 401 errors during login.
+
+        Args:
+            provider: OAuth provider name (e.g., 'azure', 'google', 'github')
+
+        Returns:
+            Flask response object (redirect to original URL or home page)
+        """
+        log.debug("OAuth callback received for provider: %s", provider)
+
+        # Call parent's OAuth callback handling
+        # This processes the OAuth response, authenticates the user, and sets session data
+        response = super().oauth_authorized(provider)
+
+        # Explicitly mark the Flask session as modified to ensure it's persisted
+        # before the redirect response is sent to the client
+        session.modified = True
+        session_backend = conf.get("fab", "SESSION_BACKEND", fallback="securecookie")
+        log.debug("Marked session as modified for %s backend", session_backend)
+
+        log.debug("OAuth callback handling completed for provider: %s", provider)
+
+        return response

providers/fab/tests/unit/fab/auth_manager/views/test_auth_oauth.py

@@ -0,0 +1,61 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from __future__ import annotations
+
+from unittest import mock
+
+import pytest
+from flask_appbuilder.security.views import AuthOAuthView
+
+from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView
+
+
+class TestCustomAuthOAuthView:
+    """Test CustomAuthOAuthView."""
+
+    @pytest.mark.parametrize("backend", ["database", "securecookie"])
+    @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf")
+    def test_oauth_authorized_marks_session_modified(self, mock_conf, backend):
+        """Test that oauth_authorized marks session as modified regardless of backend."""
+        mock_conf.get.return_value = backend
+        mock_session = mock.MagicMock()
+        view = CustomAuthOAuthView()
+
+        with (
+            mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session", new=mock_session),
+            mock.patch.object(AuthOAuthView, "oauth_authorized", return_value=mock.Mock()) as mock_parent,
+        ):
+            view.oauth_authorized("test_provider")
+
+            mock_parent.assert_called_once_with("test_provider")
+            assert mock_session.modified is True
+            mock_conf.get.assert_called_once_with("fab", "SESSION_BACKEND", fallback="securecookie")
+
+    @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf")
+    def test_oauth_authorized_returns_parent_response(self, mock_conf):
+        """Test that oauth_authorized returns the response from parent method."""
+        mock_conf.get.return_value = "database"
+        view = CustomAuthOAuthView()
+        mock_response = mock.Mock()
+
+        with (
+            mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session", new=mock.MagicMock()),
+            mock.patch.object(AuthOAuthView, "oauth_authorized", return_value=mock_response),
+        ):
+            result = view.oauth_authorized("google")
+            assert result == mock_response