I have installed airflow2.1.1 on centos7 vm in our private network. Airflow webserver is built on flask. It uses flask web authentication.
I have configured airflow.cfg and webserver_config.py to use keycloak oauth2.
I am getting below error while logging in airflow web UI with keycloak for authentication
OAUTH code in webserver_config.py
from airflow.www_rbac.security import AirflowSecurityManager
from flask_appbuilder.security.manager import AUTH_OAUTH
import os
import json
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
# a mapping from the values of `userinfo["role_keys"]` to a list of FAB roles
AUTH_ROLES_MAPPING = {
"FAB_USERS": ["admin"],
"FAB_ADMINS": ["Admin"],
}
OAUTH_PROVIDERS = [
{'name':'keycloak', 'icon':'fa-user-circle', 'token_key':'access_token',
'remote_app': {
'client_id':'xxxxxx',
'client_secret':'xxxxxxxxxxxxxxxxxxx',
'api_base_url':'https://keycloak-1.dastc.stee.com:8443/auth/realms/sep',
'client_kwargs':{
'scope': 'email profile'
},
'request_token_url':None,
'access_token_url':'https://keycloak-1.dastc.stee.com:8443/auth/realms/sep/protocol/openid-connect/token',
'authorize_url':'https://keycloak-1.dastc.stee.com:8443/auth/realms/sep/protocol/openid-connect/auth'}
}
]
Error from airflow webserver
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET / HTTP/1.1" 302 217 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET /home HTTP/1.1" 302 329 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET /login/?next=https%3A%2F%2Fexp-3.dastc.stee.com%3A8090%2Fhome HTTP/1.1" 302 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET / HTTP/1.1" 302 217 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET /home HTTP/1.1" 302 329 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:25 +0000] "GET /login/?next=https%3A%2F%2Fexp-3.dastc.stee.com%3A8090%2Fhome HTTP/1.1" 302 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:43,501] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:43 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuZXh0IjpbImh0dHBzOi8vZXhwLTMuZGFzdGMuc3RlZS5jb206ODA5MC9ob21lIl19.gPk8CRlCWQtxpWemGEK575Q-0t_r488fczc1lDbVjsQ&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=5732a033-009f-4093-80d3-43321c5c646e.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:43 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:43,734] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:43 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=eec30213-f238-445a-b3f9-22db5091337d.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:43 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:43,972] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:43 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=384d3d06-dc9c-4478-bdea-917db0456d09.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:44,190] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=2561b99b-a098-4927-b8fe-5b4a4548b62f.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:44,431] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=a6486875-ce53-40d8-b9ed-461453a942e0.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:44,677] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=2710fb5a-f592-45d1-ade5-2dd7bbc3ca3e.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /login/ HTTP/1.1" 302 871 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:44,920] {manager.py:1293} ERROR - OAUTH userinfo does not have username or email {}
172.16.0.1 - - [26/Aug/2021:07:28:44 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=1c7750d0-9517-4ba7-8c7c-6ff96fa4588a.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
[2021-08-26 07:28:46,128] {app.py:1892} ERROR - Exception on /oauth-authorized/keycloak [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 695, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File "/usr/local/lib/python3.6/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
params = self.retrieve_access_token_params(flask_req, request_token)
File "/usr/local/lib/python3.6/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
params = self._retrieve_oauth2_access_token_params(request, params)
File "/usr/local/lib/python3.6/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
172.16.0.1 - - [26/Aug/2021:07:28:46 +0000] "GET /oauth-authorized/keycloak?state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e30.SqKPp4eMJlY0wyPJxubLV-L78CpXKgpfm2ilTlgecSg&session_state=c50b49a9-2878-4af6-8ce4-62da7b3a82fd&code=1c7750d0-9517-4ba7-8c7c-6ff96fa4588a.c50b49a9-2878-4af6-8ce4-62da7b3a82fd.5e50dd12-2de1-479c-906f-d5272f3ba911 HTTP/1.1" 500 2447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
