willyyang opened a new issue, #51662: URL: https://github.com/apache/airflow/issues/51662
### Apache Airflow version 3.0.2 ### If "Other Airflow 2 version" selected, which one? Database users created via CLI cannot authenticate when OAuth is configured as AUTH_TYPE in FAB auth manager ### What happened? When using FAB auth manager with OAuth authentication (specifically Azure EntraID) configured as the primary authentication method (`AUTH_TYPE = AUTH_OAUTH`), users created via the `airflow users create` CLI command cannot authenticate through the API, even when basic auth backend is properly configured. The `/auth/token` endpoint returns "Invalid username" error, and basic authentication via curl also fails with "not authenticated" error, despite the user existing in the database and having the correct credentials. This following guidelines were followed as a starting ground: https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/api-authentication.html#basic-authentication ### What you think should happen instead? Users created via `airflow users create` should be able to authenticate through the API using either: 1. The /auth/token endpoint to obtain JWT tokens 2. Basic authentication when `airflow.providers.fab.auth_manager.api.auth.backend.basic_auth` is configured The authentication mechanism should check database users regardless of the primary AUTH_TYPE setting, especially when multiple auth backends are configured. ### How to reproduce 1. Configure Airflow 3.0.2 with FAB auth manager and OAuth (Azure EntraID in this case), the following is a loose example but there are other docs for how to set this up. ``` from flask_appbuilder.security.manager import AUTH_OAUTH import os AUTH_TYPE = AUTH_OAUTH OAUTH_PROVIDERS = [{ 'name': 'azure', 'token_key': 'access_token', 'icon': 'fa-windows', 'remote_app': { 'client_id': os.getenv('AZURE_CLIENT_ID'), 'client_secret': os.getenv('AZURE_CLIENT_SECRET'), 'api_base_url': f"https://login.microsoftonline.com/{os.getenv('AZURE_TENANT_ID')}/", 'client_kwargs': { 'scope': 'User.read openid email profile', }, 'access_token_url': f"https://login.microsoftonline.com/{os.getenv('AZURE_TENANT_ID')}/oauth2/v2.0/token", 'authorize_url': f"https://login.microsoftonline.com/{os.getenv('AZURE_TENANT_ID')}/oauth2/v2.0/authorize", }, }] AUTH_USER_REGISTRATION = True AUTH_ROLES_SYNC_AT_LOGIN = True ``` 2. Configure multiple auth backends in airflow.cfg or via environment variable: ``` export AIRFLOW__FAB__AUTH_BACKENDS='airflow.providers.fab.auth_manager.api.auth.backend.session,airflow.providers.fab.auth_manager.api.auth.backend.basic_auth' ``` 3, Create a user via CLI: ``` airflow users create \ --username api1 \ --firstname API \ --lastname User \ --role Admin \ --email a...@example.com \ --password password ``` 4. Verify the user exists: ``` airflow users list ``` 5. Try to authenticate via API ``` # Using basic auth curl -X GET --user "api1:password" http://localhost:8080/api/v2/dags # Returns: {"detail":"Unauthenticated"} # Using token endpoint curl -X POST http://localhost:8080/auth/token \ -H 'Content-Type: application/json' \ -d '{"username": "api1", "password": "password"}' # Returns: {"detail":"Invalid username"} ``` ### Operating System Debian GNU/Linux 12 (bookworm)peip ### Versions of Apache Airflow Providers apache-airflow-providers-fab==2.2.0 ### Deployment Other ### Deployment details Deployed in OCP4. ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
