arjav1528 opened a new pull request, #61095:
URL: https://github.com/apache/airflow/pull/61095
The Keycloak authentication provider generates HTTP redirect URLs even when
running behind an HTTPS reverse proxy. This occurs because the login route
uses `request.url_for()` to generate the callback URL, which doesn't respect
proxy headers like `X-Forwarded-Proto` by default.
This fix configures Airflow to respect proxy headers by adding support for:
1. Uvicorn's `--proxy-headers` flag with `FORWARDED_ALLOW_IPS` environment
variable
2. Alternative ProxyFix middleware configuration
Both approaches enable the Keycloak provider to correctly generate HTTPS
redirect URLs when deployed behind nginx ingress or other reverse proxies.
Testing:
- Verified redirect_uri uses HTTPS when proxy headers are configured
- Confirmed backward compatibility with existing deployments
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
