You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi Airflow community, I was trying to enable okta for the first time in our airflow application but facing challenges. Can someone please help us validate our configs and let us know if we are missing something on our end?
#Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
"""Default configuration for the Airflow webserver"""
import os
from airflow.www.fab_security.manager import AUTH_OAUTH
#from flask_appbuilder.security.manager import AUTH_OAUTH
basedir = os.path.abspath(os.path.dirname(__file__))
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
# ----------------------------------------------------
# AUTHENTICATION CONFIG
# ----------------------------------------------------
# For details on how to set up each of the following authentication, see
# http://flask-appbuilder.readthedocs.io/en/latest/security.html# authentication-methods
# for details.
# The authentication type
AUTH_TYPE = AUTH_OAUTH
# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'
# When using OAuth Auth, uncomment to setup provider(s) info
# Google OAuth example:
OAUTH_PROVIDERS = [{
'name':'okta',
'token_key':'access_token',
'icon':'fa-circle-o',
'remote_app': {
'client_id': 'xxxxxxxxxxxxx',
'client_secret': 'xxxxxxxxxxxxxxxxxxx',
'api_base_url': 'https://xxxxxxx.com/oauth2/v1/',
'client_kwargs':{'scope': 'openid profile email groups'},
# 'redirect_uri': 'https://xxxxxxx.com/oauth-authorized/okta',
'access_token_url': 'https://xxxxxxx.com/oauth2/v1/token',
'authorize_url': 'https://xxxxxxx.com/oauth2/v1/authorize',
'jwks_uri': 'https://xxxxxxx.com/oauth2/v1/keys'
# 'server_metadata_url': 'https://xxxxxxx.com/.well-known/openid-configuration'
}
}]
# Will allow user self registrationf
AUTH_USER_REGISTRATION = True
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_ROLES_MAPPING = {
"Admin": ["Admin"]
}
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 12hr of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 43200
Error I am getting in the webserver logs is as below (Internal Server Error):
[2025-01-29 19:55:59 +0000] [21] [CRITICAL] WORKER TIMEOUT (pid:92)
[2025-01-29 19:55:59 +0000] [92] [ERROR] Error handling request /oauth-authorized/okta?code=xxxxxxxxxxxxxx&state=xxxxxxxxxxx
Traceback (most recent call last):
File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/sync.py", line 134, in handle
self.handle_request(listener, req, client, addr)
File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/sync.py", line 177, in handle_request
respiter = self.wsgi(environ, resp.start_response)
File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 2552, in __call__
return self.wsgi_app(environ, start_response)
File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 2529, in wsgi_app
response = self.full_dispatch_request()
File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/app-root/lib64/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/opt/app-root/lib64/python3.9/site-packages/flask_appbuilder/security/views.py", line 679, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/flask_client/apps.py", line 101, in authorize_access_token
token = self.fetch_access_token(**params, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/base_client/sync_app.py", line 347, in fetch_access_token
token = client.fetch_token(token_endpoint, **params)
File "/opt/app-root/lib64/python3.9/site-packages/authlib/oauth2/client.py", line 217, in fetch_token
return self._fetch_token(
File "/opt/app-root/lib64/python3.9/site-packages/authlib/oauth2/client.py", line 366, in _fetch_token
resp = self.session.post(
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 637, in post
return self.request("POST", url, data=data, json=json, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/authlib/integrations/requests_client/oauth2_session.py", line 112, in request
return super().request(
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/adapters.py", line 667, in send
resp = conn.urlopen(
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 715, in urlopen
httplib_response = self._make_request(
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 404, in _make_request
self._validate_conn(conn)
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connectionpool.py", line 1060, in _validate_conn
conn.connect()
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/opt/app-root/lib64/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib64/python3.9/ssl.py", line 1074, in _create
self.do_handshake()
File "/usr/lib64/python3.9/ssl.py", line 1343, in do_handshake
self._sslobj.do_handshake()
File "/opt/app-root/lib64/python3.9/site-packages/gunicorn/workers/base.py", line 204, in handle_abort
sys.exit(1)
SystemExit: 1
The text was updated successfully, but these errors were encountered:
Hi Airflow community, I was trying to enable okta for the first time in our airflow application but facing challenges. Can someone please help us validate our configs and let us know if we are missing something on our end?
Below is our Airflow webserver.cfg file
Error I am getting in the webserver logs is as below (Internal Server Error):
The text was updated successfully, but these errors were encountered: