zach-overflow commented on issue #48787: URL: https://github.com/apache/airflow/issues/48787#issuecomment-3161429004
I'm working on improving our custom Auth Manager implementation (not FAB), and ran into some similar challenges as described in this thread. Namely, the [current default `logout` route logic](https://github.com/apache/airflow/blob/3.0.3/airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py#L46-L57) as of Airflow 3.0.3 will still redirect the user to the login page if the auth manager implementation doesn't override the `get_url_logout` method. We've observed this issue as well where the redirect to the login page + our automated login flow negates the prior logout. We were able to fix that by overriding the `get_url_logout` method so that it redirected to a static HTML page rather than the login page. However, we've been trying to figure out the best approach for deleting / invalidating the cookie when a user intentionally logs out. Is there an expected / recommended way to handle the token invalidation? I can't seem to find where or how the cookie ends up being stored. Per the current [Auth manager doc](https://airflow.apache.org/docs/apache-airflow/3.0.3/core-concepts/auth-manager/index.html#jwt-token-management-by-auth-managers): > The auth manager needs to save the JWT token in a cookie named _token before redirecting to the Airflow UI. The Airflow UI will then read the cookie, save it and delete the cookie but I'm not sure _where_ exactly the auth manager ultimately saves the cookie after initially reading it from `_token`, as that quote implies. Happy to update the doc to clarify this, but I'm not sure what the correct answer is. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
