Hi Vincent, This looks promising!
We're using Keycloak, integrated with Airflow using the FAB auth manager (OpenID). As of now, it has worked properly for us to login to the webpage, but I never managed to get the API working for Keycloak users (I had to create users using FAB directly). We have versions 2.10 and 3 installed, so let me know if you'd like me to test the auth manager you've prepared. On Tue, May 20, 2025 at 10:04 PM Alexander Shorin <kxe...@apache.org> wrote: > Oh, this could be cool! But quite specific since not everyone has Keycloak > for auth things and Airflow still has to have some own one. > May be not full delegation, but some sort of synchronization could be a > great middle ground. Airflow works like it always been, while source of > auth info becomes Keycloak or some else service via API. > > -- > ,,,^..^,,, > > > On Tue, May 20, 2025 at 7:48 PM Vincent Beck <vincb...@apache.org> wrote: > > > Good point. > > > > You're right — it's already possible to use Keycloak for user > > authentication with the FAB (Flask AppBuilder) auth manager. You can > > configure FAB to use Keycloak as an identity provider, allowing users to > > authenticate via Keycloak. Authorization, however, remains handled within > > FAB, meaning user permissions and access control are still enforced by > > Flask AppBuilder. > > > > With this new provider, I'm proposing to introduce a brand-new auth > > manager that relies entirely on Keycloak, independent of Flask > AppBuilder. > > This new manager would delegate both authentication and authorization to > > Keycloak — meaning all user permissions and access controls would be > > defined in Keycloak, not in Airflow. > > > > On 2025/05/20 16:35:07 Alexander Shorin wrote: > > > Hi! > > > > > > Sounds great, but Airflow already works perfectly to auth users via > > > Keycloak LDAP protocol. What this provider will change and why it will > be > > > better than now? > > > > > > -- > > > ,,,^..^,,, > > > > > > On Tue, May 20, 2025 at 7:32 PM Beck, Vincent > > <vincb...@amazon.com.invalid> > > > wrote: > > > > > > > Hi all, > > > > > > > > I'd like to propose adding a new provider, Keycloak [1], to the > > collection > > > > of Apache Airflow providers. > > > > > > > > Keycloak is an open-source software product to allow single sign-on > > with > > > > identity and access management aimed at modern applications and > > services. > > > > > > > > The intent of this new provider would be to provide Keycloak auth > > manager, > > > > an auth manager [2] leveraging Keycloak to perform authentication and > > > > authorization of user actions in Airflow. > > > > > > > > I started the implementation and have a POC working. > > > > > > > > Happy to hear from you all any feedback or questions :) > > > > > > > > [1] https://www.keycloak.org/ > > > > [2] > > > > > > > https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/auth-manager/index.html > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > > For additional commands, e-mail: dev-h...@airflow.apache.org > > > > >
