Skip to content

Add Keycloak Refresh Token Middleware #51657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Add Keycloak Refresh Token Middleware #51657

wants to merge 14 commits into from
+283 −2

Conversation

bugraoz93
Copy link
Contributor

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

vincbeck
vincbeck requested changes Jun 13, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR should be separated in multiple PRs, you are trying to implement multiple different features. I started to work on the create token API (https://github.com/orgs/apache/projects/500/views/1?pane=issue&itemId=112609811) but it seems you want to work on it as well?

@bugraoz93
Copy link
Contributor Author

bugraoz93 commented Jun 13, 2025
edited
Loading

I think this PR should be separated in multiple PRs, you are trying to implement multiple different features. I started to work on the create token API (Keycloak auth manager (view)) but it seems you want to work on it as well?

I should have communicated this with you better. My bad, Vincent! Although I saw the issue, I first started adding these features because I thought we would have these endpoints to manage login, similar to FAB and SAM but then realised that we should manage the login and refresh part separately. Those things just stayed. I can also help on those parts if there isn't too much duplicate work already on your side 😅 Please let me know which one can stay and I can separate the PR and implement unit test on it

@vincbeck
Copy link
Contributor

vincbeck commented Jun 13, 2025
edited
Loading

No worries at all Bugra, and thanks a lot for your hard work, I understand Keycloak can be confusing and auth in general is not easy to grasp at first sight. Let's do it step by step, could you update this PR to focus only on the refresh token logic? We'll see other points later. I think that will simplify the review.

@bugraoz93
Copy link
Contributor Author

Thanks Vincent! It has been a great time spent to learn and connecting all the pieces for both Keycloak and our internal authentication. I only worked on the backend API part in other authentication managers, so I missed completely what and how the entire authentication system works.
Sure, Vincent, I will update the PR to include only the refresh_token logic. I will update the PR today or tomorrow. Today, I have a full day plan, so I will try the night or tomorrow morning to update the PR :)

@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from 0e3aeb3 to 891394a Compare June 15, 2025 19:39
@bugraoz93 bugraoz93 changed the title Add Keycloak endpoints, middleware, service and logout Add Keycloak Refresh Token Middleware Jun 15, 2025
vincbeck
vincbeck reviewed Jun 20, 2025
View reviewed changes
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from 891394a to ce1fa1c Compare June 21, 2025 15:10
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch 2 times, most recently from a59ce34 to 0e94d22 Compare June 22, 2025 21:12
vincbeck
vincbeck reviewed Jun 23, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it is much better :) I like the direction and I think we are close. Thanks for being receptive to my comments :)

On top of my comments, one other thing: I think we should call refresh_token only when the token expired. A bit like your previous implementation. Basically:

  • Detecting when Keycloak token expired by catching the exception. When that happens, raising another generic exception (e.g. using an exception from jwt package)
  • In the middleware, catching this exception, and calling refresh_token when that happens

That allows to call refresh_token only when the token expires, otherwise we call refresh_token at every call, which can lead to severe latency increase.

vincbeck
vincbeck reviewed Jun 23, 2025
View reviewed changes
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from bdf69d3 to 3a8a002 Compare June 23, 2025 19:58
@bugraoz93
Copy link
Contributor Author

Overall it is much better :) I like the direction and I think we are close. Thanks for being receptive to my comments :)

On top of my comments, one other thing: I think we should call refresh_token only when the token expired. A bit like your previous implementation. Basically:

  • Detecting when Keycloak token expired by catching the exception. When that happens, raising another generic exception (e.g. using an exception from jwt package)
  • In the middleware, catching this exception, and calling refresh_token when that happens

That allows to call refresh_token only when the token expires, otherwise we call refresh_token at every call, which can lead to severe latency increase.

Thanks a lot, Vincent! I would be a lot faster in different areas but in auth managers, I have learned a lot during the implementation. Still small unit test is needed for refresh_token. Functionality is also working as expected. I will try to do it and finalise this one in the coming hours.

vincbeck
vincbeck reviewed Jun 23, 2025
View reviewed changes
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from ebe67d1 to 9c8fca7 Compare June 24, 2025 22:20
@bugraoz93 bugraoz93 marked this pull request as ready for review June 24, 2025 22:21
@bugraoz93 bugraoz93 requested a review from jason810496 as a code owner June 24, 2025 22:21
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from c053c59 to 1793cc9 Compare June 24, 2025 22:24
vincbeck
vincbeck reviewed Jun 25, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Only this comment thread to resolve and we are good :)

bugraoz93 and others added 11 commits June 25, 2025 20:14
@bugraoz93
Add refresh_token to base_auth_manager.py and include KeycloakAuthMan…
bcdce76 
…ager integration
@bugraoz93
Add Refresh Token Middleware to core Airflow
a864600
@bugraoz93
Create refresh_token flow in UI in the request/response interceptors
ad3c8b9
@bugraoz93
Fix UI tests, remove unused method from Keycloak user and fix route t…
d5c3363 
…ests
@bugraoz93
Only refresh when needed, change user to typevar, minimize ui changes…
794e6dd 
… and change refresh_token
@bugraoz93
Only refresh when needed, change user to typevar, minimize ui changes…
a4d1299 
… and change refresh_token
@bugraoz93
Execute refresh_token only for UI request via checking cors, update docs
7bd3171
@bugraoz93
Execute refresh_token only for UI request via checking cors, update d…
252fae3 
…ocs and add tests
@bugraoz93 @vincbeck
Update airflow-core/src/airflow/api_fastapi/auth/managers/base_auth_m…
dba7788 
…anager.py

Co-authored-by: Vincent <[email protected]>
@bugraoz93
Remove print
839bbad
@bugraoz93
Rebase and remove duplicate get_keycloak_client
ad0eeba
@bugraoz93 bugraoz93 force-pushed the feat/keycloak/api branch from 1793cc9 to ad0eeba Compare June 25, 2025 18:32
@vincbeck
Copy link
Contributor

One last ask (promise, the last one), can you add a test for the middleware? Thanks again for the work!

@bugraoz93
Copy link
Contributor Author

One last ask (promise, the last one), can you add a test for the middleware? Thanks again for the work!

For sure, thanks for pointing out! I would say this is a good collaboration rather than an ask :)

@bugraoz93
Copy link
Contributor Author

Added the test, which I had missed while deleting it for the CORS. That was on me

@bugraoz93
Copy link
Contributor Author

This needs small care on the test. It worked in my local but seems not here. Will check this out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vincbeck vincbeck vincbeck requested changes

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
area:dev-tools area:providers provider:keycloak
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bugraoz93 @vincbeck