Re: [PR] Set JWT token to localStorage from cookies [airflow]

Fri, 14 Mar 2025 06:08:54 -0700 


pierrejeambrun commented on code in PR #47432:
URL: https://github.com/apache/airflow/pull/47432#discussion_r1995498804


##########
docs/apache-airflow/core-concepts/auth-manager/index.rst:
##########
@@ -92,13 +92,30 @@ Some reasons you may want to write a custom auth manager 
include:
 * You'd like to use an auth manager that leverages an identity provider from 
your preferred cloud provider.
 * You have a private user management tool that is only available to you or 
your organization.
 
-
 Authentication related BaseAuthManager methods
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 * ``get_user``: Return the signed-in user.
 * ``get_url_login``: Return the URL the user is redirected to for signing in.
 
+JWT token management by auth managers
+-------------------------------------
+The auth manager is responsible of creating the JWT token and pass it to 
Airflow UI. The protocol to exchange the JWT
+token between the auth manager and Airflow UI is using cookies. The auth 
manager needs to save the JWT token in a
+cookie named ``_token`` before redirecting to the Airflow UI. The Airflow UI 
will then read the cookie, save it and
+delete the cookie.
+
+.. code-block:: python
+
+    from airflow.api_fastapi.auth.managers.base_auth_manager import 
COOKIE_NAME_JWT_TOKEN
+
+    response = RedirectResponse(url="/")
+    response.set_cookie(COOKIE_NAME_JWT_TOKEN, "_token", secure=True)

Review Comment:
   ```suggestion
       response.set_cookie(COOKIE_NAME_JWT_TOKEN, token, secure=True)
   ```
   
   This is confusing as `_token` is the name of the cookie, it looks like we 
are missing the token value in the cookie



##########
providers/fab/src/airflow/providers/fab/www/views.py:
##########
@@ -70,7 +72,10 @@
     def index(self):
         if g.user is not None and g.user.is_authenticated:
             token = get_auth_manager().get_jwt_token(g.user)
-            return redirect(urljoin(conf.get("api", "base_url"), 
f"?token={token}"), code=302)
+            response = make_response(redirect(f"{conf.get('api', 
'base_url')}", code=302))
+            response.set_cookie(COOKIE_NAME_JWT_TOKEN, token, secure=True)

Review Comment:
   Unfortunately I don't think we can do much here, because we want our JS 
front-end code to manipulate this...



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to