[PR] Fix Internal Server Error in API server due to KeycloakPostError when refreshing user in Keycloak provider [airflow]

Fri, 12 Dec 2025 04:38:51 -0800 


dabla opened a new pull request, #59361:
URL: https://github.com/apache/airflow/pull/59361

   <!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at
   
      http://www.apache.org/licenses/LICENSE-2.0
   
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
    -->
   
   <!--
   Thank you for contributing! Please make sure that your code changes
   are covered with tests. And in case of new features or big changes
   remember to adjust the documentation.
   
   Feel free to ping committers for the review!
   
   In case of an existing issue, reference it using one of the following:
   
   closes: [#59359](https://github.com/apache/airflow/issues/59359)
   related: [#59359](https://github.com/apache/airflow/issues/59359)
   
   How to write a good git commit message:
   http://chris.beams.io/posts/git-commit/
   -->
   
   This PR fixes issue [#59359](https://github.com/apache/airflow/issues/59359) 
which fixes an Internal Server Error in the Airflow API server due to a 
KeycloakPostError when refreshing user in Keycloak provider.
   
   This is because the Airflow API server has a cookie with an expired _token.  
That token never expires due to an expiration set to Session, thus the cookie 
is never invalided which at a certain time leads to an invalid token send to 
Keycloak.
   
   This leads to following exception in API server which makes the API server 
respond with a HTTP 500 Internal Server Error:
   
   ```
   INFO:     172.31.52.95:0 - "GET /favicon.ico HTTP/1.1" 500 Internal Server 
Error
   ERROR:    Exception in ASGI application
     + Exception Group Traceback (most recent call last):
     |   File "/usr/local/lib/python3.13/site-packages/starlette/_utils.py", 
line 79, in collapse_excgroups
     |     yield
     |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 
183, in __call__
     |     async with anyio.create_task_group() as task_group:
     |                ~~~~~~~~~~~~~~~~~~~~~~~^^
     |   File 
"/usr/local/lib/python3.13/site-packages/anyio/_backends/_asyncio.py", line 
783, in __aexit__
     |     raise BaseExceptionGroup(
     |         "unhandled errors in a TaskGroup", self._exceptions
     |     ) from None
     | ExceptionGroup: unhandled errors in a TaskGroup (1 sub-exception)
     +-+---------------- 1 ----------------
       | Traceback (most recent call last):
       |   File 
"/usr/local/lib/python3.13/site-packages/uvicorn/protocols/http/httptools_impl.py",
 line 409, in run_asgi
       |     result = await app(  # type: ignore[func-returns-value]
       |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       |         self.scope, self.receive, self.send
       |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       |     )
       |     ^
       |   File 
"/usr/local/lib/python3.13/site-packages/uvicorn/middleware/proxy_headers.py", 
line 60, in __call__
       |     return await self.app(scope, receive, send)
       |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       |   File 
"/usr/local/lib/python3.13/site-packages/fastapi/applications.py", line 1082, 
in __call__
       |     await super().__call__(scope, receive, send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/applications.py", line 113, 
in __call__
       |     await self.middleware_stack(scope, receive, send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 
186, in __call__
       |     raise exc
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 
164, in __call__
       |     await self.app(scope, receive, _send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
29, in __call__
       |     await responder(scope, receive, send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
130, in __call__
       |     await super().__call__(scope, receive, send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
46, in __call__
       |     await self.app(scope, receive, self.send_with_compression)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/cors.py", line 
85, in __call__
       |     await self.app(scope, receive, send)
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 
182, in __call__
       |     with recv_stream, send_stream, collapse_excgroups():
       |                                    ~~~~~~~~~~~~~~~~~~^^
       |   File "/usr/lib64/python3.13/contextlib.py", line 162, in __exit__
       |     self.gen.throw(value)
       |     ~~~~~~~~~~~~~~^^^^^^^
       |   File "/usr/local/lib/python3.13/site-packages/starlette/_utils.py", 
line 85, in collapse_excgroups
       |     raise exc
       |   File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 
184, in __call__
       |     response = await self.dispatch_func(request, call_next)
       |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       |   File 
"/usr/local/lib/python3.13/site-packages/airflow/api_fastapi/auth/middlewares/refresh_token.py",
 line 45, in dispatch
       |     new_user = await self._refresh_user(current_token)
       |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       |   File 
"/usr/local/lib/python3.13/site-packages/airflow/api_fastapi/auth/middlewares/refresh_token.py",
 line 68, in _refresh_user
       |     return get_auth_manager().refresh_user(user=user)
       |            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
       |   File 
"/usr/local/lib/python3.13/site-packages/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py",
 line 121, in refresh_user
       |     tokens = client.refresh_token(user.refresh_token)
       |   File 
"/usr/local/lib/python3.13/site-packages/keycloak/keycloak_openid.py", line 
410, in refresh_token
       |     return raise_error_from_response(data_raw, KeycloakPostError)
       |   File 
"/usr/local/lib/python3.13/site-packages/keycloak/exceptions.py", line 195, in 
raise_error_from_response
       |     raise error(
       |     ...<3 lines>...
       |     )
       | keycloak.exceptions.KeycloakPostError: 400: 
b'{"error":"invalid_grant","error_description":"Token is not active"}'
       +------------------------------------
   
   During handling of the above exception, another exception occurred:
   
   Traceback (most recent call last):
     File 
"/usr/local/lib/python3.13/site-packages/uvicorn/protocols/http/httptools_impl.py",
 line 409, in run_asgi
       result = await app(  # type: ignore[func-returns-value]
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
           self.scope, self.receive, self.send
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       )
       ^
     File 
"/usr/local/lib/python3.13/site-packages/uvicorn/middleware/proxy_headers.py", 
line 60, in __call__
       return await self.app(scope, receive, send)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File "/usr/local/lib/python3.13/site-packages/fastapi/applications.py", 
line 1082, in __call__
       await super().__call__(scope, receive, send)
     File "/usr/local/lib/python3.13/site-packages/starlette/applications.py", 
line 113, in __call__
       await self.middleware_stack(scope, receive, send)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 
186, in __call__
       raise exc
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/errors.py", line 
164, in __call__
       await self.app(scope, receive, _send)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
29, in __call__
       await responder(scope, receive, send)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
130, in __call__
       await super().__call__(scope, receive, send)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/gzip.py", line 
46, in __call__
       await self.app(scope, receive, self.send_with_compression)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/cors.py", line 
85, in __call__
       await self.app(scope, receive, send)
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 
182, in __call__
       with recv_stream, send_stream, collapse_excgroups():
                                      ~~~~~~~~~~~~~~~~~~^^
     File "/usr/lib64/python3.13/contextlib.py", line 162, in __exit__
       self.gen.throw(value)
       ~~~~~~~~~~~~~~^^^^^^^
     File "/usr/local/lib/python3.13/site-packages/starlette/_utils.py", line 
85, in collapse_excgroups
       raise exc
     File 
"/usr/local/lib/python3.13/site-packages/starlette/middleware/base.py", line 
184, in __call__
       response = await self.dispatch_func(request, call_next)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File 
"/usr/local/lib/python3.13/site-packages/airflow/api_fastapi/auth/middlewares/refresh_token.py",
 line 45, in dispatch
       new_user = await self._refresh_user(current_token)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File 
"/usr/local/lib/python3.13/site-packages/airflow/api_fastapi/auth/middlewares/refresh_token.py",
 line 68, in _refresh_user
       return get_auth_manager().refresh_user(user=user)
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
     File 
"/usr/local/lib/python3.13/site-packages/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py",
 line 121, in refresh_user
       tokens = client.refresh_token(user.refresh_token)
     File 
"/usr/local/lib/python3.13/site-packages/keycloak/keycloak_openid.py", line 
410, in refresh_token
       return raise_error_from_response(data_raw, KeycloakPostError)
     File "/usr/local/lib/python3.13/site-packages/keycloak/exceptions.py", 
line 195, in raise_error_from_response
       raise error(
       ...<3 lines>...
       )
   keycloak.exceptions.KeycloakPostError: 400: 
b'{"error":"invalid_grant","error_description":"Token is not active"}'
   ```
   
   <img width="577" height="250" alt="image" 
src="https://github.com/user-attachments/assets/20470058-749a-49fd-a404-fa4c404754ee";
 />
   
   <!-- Please keep an empty line above the dashes. -->
   ---
   **^ Add meaningful description above**
   Read the **[Pull Request 
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
 for more information.
   In case of fundamental code changes, an Airflow Improvement Proposal 
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
 is needed.
   In case of a new dependency, check compliance with the [ASF 3rd Party 
License Policy](https://www.apache.org/legal/resolved.html#category-x).
   In case of backwards incompatible changes please leave a note in a 
newsfragment file, named `{pr_number}.significant.rst` or 
`{issue_number}.significant.rst`, in 
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to