Re: [PR] feat(doc): Add Refresh Token logic to auth manager docs [airflow]

Fri, 08 Aug 2025 06:15:02 -0700 


vincbeck commented on code in PR #54196:
URL: https://github.com/apache/airflow/pull/54196#discussion_r2262946655


##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -172,6 +172,40 @@ cookie named ``_token`` before redirecting to the Airflow 
UI. The Airflow UI wil
 .. note::
     Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs 
to access the JWT token from the cookie.
 
+Refreshing JWT Token
+''''''''''''''''''''
+The refresh token ``<METHOD> <PATH>`` is ``POST /auth/token/refresh``. It 
returns a new JWT token in the cookie where updated token is stored.
+It requires the user to be authenticated, and it is usually called by the 
Airflow UI/API when the JWT token is about to expire.
+This endpoint is used to refresh the JWT token when it is about to expire.
+The auth manager should implement this endpoint to allow the Airflow UI/API to 
refresh the JWT token.

Review Comment:
   We should also mention why an auth manager should override this method. If 
the auth manager does not use any underlying token underneath, there is no 
value implementing this method. An auth manager should override this method if 
it uses a token which expires and need to be refreshed (like Keycloak)



##########
airflow-core/docs/core-concepts/auth-manager/index.rst:
##########
@@ -172,6 +172,40 @@ cookie named ``_token`` before redirecting to the Airflow 
UI. The Airflow UI wil
 .. note::
     Do not set the cookie parameter ``httponly`` to ``True``. Airflow UI needs 
to access the JWT token from the cookie.
 
+Refreshing JWT Token
+''''''''''''''''''''
+The refresh token ``<METHOD> <PATH>`` is ``POST /auth/token/refresh``. It 
returns a new JWT token in the cookie where updated token is stored.

Review Comment:
   I do not think it is needed to mention the path, each auth manager can come 
up with their own path. It does not really matter because Airflow can get this 
path with `get_url_refresh`. By the way, it would be great to mention this 
method in the doc, saying that if the auth manager provide an endpoint to 
refresh the token, it should be returned with `get_url_refresh`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to