Good point. You're right — it's already possible to use Keycloak for user authentication with the FAB (Flask AppBuilder) auth manager. You can configure FAB to use Keycloak as an identity provider, allowing users to authenticate via Keycloak. Authorization, however, remains handled within FAB, meaning user permissions and access control are still enforced by Flask AppBuilder.
With this new provider, I'm proposing to introduce a brand-new auth manager that relies entirely on Keycloak, independent of Flask AppBuilder. This new manager would delegate both authentication and authorization to Keycloak — meaning all user permissions and access controls would be defined in Keycloak, not in Airflow. On 2025/05/20 16:35:07 Alexander Shorin wrote: > Hi! > > Sounds great, but Airflow already works perfectly to auth users via > Keycloak LDAP protocol. What this provider will change and why it will be > better than now? > > -- > ,,,^..^,,, > > On Tue, May 20, 2025 at 7:32 PM Beck, Vincent <vincb...@amazon.com.invalid> > wrote: > > > Hi all, > > > > I'd like to propose adding a new provider, Keycloak [1], to the collection > > of Apache Airflow providers. > > > > Keycloak is an open-source software product to allow single sign-on with > > identity and access management aimed at modern applications and services. > > > > The intent of this new provider would be to provide Keycloak auth manager, > > an auth manager [2] leveraging Keycloak to perform authentication and > > authorization of user actions in Airflow. > > > > I started the implementation and have a POC working. > > > > Happy to hear from you all any feedback or questions :) > > > > [1] https://www.keycloak.org/ > > [2] > > https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/auth-manager/index.html > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org For additional commands, e-mail: dev-h...@airflow.apache.org
