Enucatl commented on issue #49495: URL: https://github.com/apache/airflow/issues/49495#issuecomment-3025011326
> After tons of debugging, and comparing the working with the non working version, I found that the guilty part was the HttpOnly cookies. You see, my reverse proxy was setup in such way to rewrite all Set-Cookie hedears and make all cookies http-only. This was a good practice for the rest of the apps that the reverse proxy serves. But airflow frontend seems to need access the cookie (I checked the localStorage in my browser and I found the token lands there, so I assume JS needs it). In any case, as soon as I removed the HttpOnly Cookie enhancement, it all worked fine. Thanks to the excellent work of @alkismavridis I landed here after a whole day of trying to upgrade from airflow 2 to 3. I believe that this is very problematic in an enterprise environment. For instance, I have authelia setup with traefik managing authentication for all internal services. It turns out, authelia [also sets HttpOnly](https://www.authelia.com/overview/security/measures/) and this behavior cannot be disabled. Nor would it be advisable or possible by policy, even if there was a flag in that specific software. Moreover, this was not the case in airflow 2, leaving a huge incompatibility in authentication setups. The only options I can try now is removing airflow from the global authentication, but this is not going to be feasible for everyone. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
