配置oidc的时候,报这个错误，022-11-01 05:35:48,236] {views.py:671} ERROR - Error returning OAuth user info: 'name' [2022-11-01 05:35:48,236] {views.py:671}

[601579263]

Apache Airflow version

2.4.2

What happened

配置oidc的时候,报这个错误， 022-11-01 05:35:48,236] {views.py:671} ERROR - Error returning OAuth user info: 'name' [2022-11-01 05:35:48,236] {views.py:671}

[01/Nov/2022:05:35:48 +0000] "GET /oauth-authorized/hangyeyun?code=lqxDMB&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuZXh0IjpbIiJdfQ.hNun3xh75k3JiI-dsKwebFH_yxD1Hkvy7nwlotqKffI HTTP/1.1" 302 201 "http://crust-dev.956eed.grapps.cn/api/auth/oidc/login?response_type=code&client_id=testairflow&redirect_uri=http%3A%2F%2F10.10.181.62%3A8080%2Foauth-authorized%2Fhangyeyun&scope=%2A&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuZXh0IjpbIiJdfQ.hNun3xh75k3JiI-dsKwebFH_yxD1Hkvy7nwlotqKffI" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"

What you think should happen instead

登录界面显示Invalid login. Please try again.

How to reproduce

No response

Operating System

centos7

Versions of Apache Airflow Providers

2.4.2

Deployment

Docker-Compose

Deployment details

Licensed to the Apache Software Foundation (ASF) under one

or more contributor license agreements. See the NOTICE file

distributed with this work for additional information

regarding copyright ownership. The ASF licenses this file

to you under the Apache License, Version 2.0 (the

"License"); you may not use this file except in compliance

with the License. You may obtain a copy of the License at

#

http://www.apache.org/licenses/LICENSE-2.0

#

Unless required by applicable law or agreed to in writing,

software distributed under the License is distributed on an

"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the

specific language governing permissions and limitations

under the License.

#

Basic Airflow cluster configuration for CeleryExecutor with Redis and PostgreSQL.

#

WARNING: This configuration is for local development. Do not use it in a production deployment.

#

This configuration supports basic configuration using environment variables or an .env file

The following variables are supported:

#

AIRFLOW_IMAGE_NAME - Docker image name used to run Airflow.

Default: apache/airflow:2.4.2

AIRFLOW_UID - User ID in Airflow containers

Default: 50000

Those configurations are useful mostly in case of standalone testing/running Airflow in test/try-out mode

#

_AIRFLOW_WWW_USER_USERNAME - Username for the administrator account (if requested).

Default: airflow

_AIRFLOW_WWW_USER_PASSWORD - Password for the administrator account (if requested).

Default: airflow

_PIP_ADDITIONAL_REQUIREMENTS - Additional PIP requirements to add when starting all containers.

Default: ''

#

Feel free to modify this file to suit your needs.

---

version: '3' x-airflow-common: &airflow-common

In order to add custom dependencies or upgrade provider packages you can use your extended image.

Comment the image line, place your Dockerfile in the directory where you placed the docker-compose.yaml

and uncomment the "build" line below, Then run docker-compose build to build the images.

image: apache/airflow:2.4.2

build: .

environment: &airflow-common-env AIRFLOWCOREEXECUTOR: CeleryExecutor AIRFLOWDATABASESQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow

For backward compatibility, with Airflow <2.3

AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
AIRFLOW__CORE__FERNET_KEY: ''
AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
AIRFLOW__API__AUTH_BACKENDS: 'airflow.api.auth.backend.basic_auth'
#_PIP_ADDITIONAL_REQUIREMENTS: ${_PIP_ADDITIONAL_REQUIREMENTS:-}

_PIP_ADDITIONAL_REQUIREMENTS: 'Authlib:1.1.0'

volumes:

• ./dags:/opt/airflow/dags
• ./logs:/opt/airflow/logs
• ./plugins:/opt/airflow/plugins
• ./py:/opt/airflow user: "${AIRFLOW_UID:-50000}:0" depends_on: &airflow-common-depends-on redis: condition: service_healthy postgres: condition: service_healthy

services: postgres: image: postgres:13 environment: POSTGRES_USER: airflow POSTGRES_PASSWORD: airflow POSTGRES_DB: airflow volumes:

• postgres-db-volume:/var/lib/postgresql/data healthcheck: test: ["CMD", "pg_isready", "-U", "airflow"] interval: 5s retries: 5 restart: always

  redis: image: redis:6.2.6 expose:

• 6379 healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 5s timeout: 30s retries: 50 restart: always

  airflow-webserver: <<: *airflow-common command: webserver ports:

• 8080:8080 healthcheck: test: ["CMD", "curl", "--fail", "http://localhost:8080/health"] interval: 10s timeout: 10s retries: 5 restart: always depends_on: <<: *airflow-common-depends-on airflow-init: condition: service_completed_successfully

  airflow-scheduler: <<: airflow-common command: scheduler healthcheck: test: ["CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"'] interval: 10s timeout: 10s retries: 5 restart: always depends_on: <<: airflow-common-depends-on airflow-init: condition: service_completed_successfully

  airflow-worker: <<: *airflow-common command: celery worker healthcheck: test:

  • "CMD-SHELL"
  • 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"' interval: 10s timeout: 10s retries: 5 environment: <<: *airflow-common-env

    Required to handle warm shutdown of the celery workers properly

    See https://airflow.apache.org/docs/docker-stack/entrypoint.html#signal-propagation

    DUMB_INIT_SETSID: "0" restart: always depends_on: <<: *airflow-common-depends-on airflow-init: condition: service_completed_successfully

  airflow-triggerer: <<: airflow-common command: triggerer healthcheck: test: ["CMD-SHELL", 'airflow jobs check --job-type TriggererJob --hostname "$${HOSTNAME}"'] interval: 10s timeout: 10s retries: 5 restart: always depends_on: <<: airflow-common-depends-on airflow-init: condition: service_completed_successfully

  airflow-init: <<: *airflow-common entrypoint: /bin/bash

  yamllint disable rule:line-length

  command:

• -c
• | function ver() { printf "%04d%04d%04d%04d" $${1//./ } } airflow_version=$$(AIRFLOWLOGGINGLOGGING_LEVEL=INFO && gosu airflow airflow version) airflow_version_comparable=$$(ver $${airflow_version}) min_airflow_version=2.2.0 min_airflow_version_comparable=$$(ver $${min_airflow_version}) if (( airflow_version_comparable < min_airflow_version_comparable )); then echo echo -e "\033[1;31mERROR!!!: Too old Airflow version $${airflow_version}!\e[0m" echo "The minimum Airflow version supported: $${min_airflow_version}. Only use this or higher!" echo exit 1 fi if [[ -z "${AIRFLOW_UID}" ]]; then echo echo -e "\033[1;33mWARNING!!!: AIRFLOW_UID not set!\e[0m" echo "If you are on Linux, you SHOULD follow the instructions below to set " echo "AIRFLOW_UID environment variable, otherwise files will be owned by root." echo "For other operating systems you can get rid of the warning with manually created .env file:" echo " See: https://airflow.apache.org/docs/apache-airflow/stable/howto/docker-compose/index.html#setting-the-right-airflow-user" echo fi one_meg=1048576 mem_available=$$(($$(getconf _PHYS_PAGES) $$(getconf PAGE_SIZE) / one_meg)) cpus_available=$$(grep -cE 'cpu[0-9]+' /proc/stat) disk_available=$$(df / | tail -1 | awk '{print $$4}') warning_resources="false" if (( mem_available < 4000 )) ; then echo echo -e "\033[1;33mWARNING!!!: Not enough memory available for Docker.\e[0m" echo "At least 4GB of memory required. You have $$(numfmt --to iec $$((mem_available one_meg)))" echo warning_resources="true" fi if (( cpus_available < 2 )); then echo echo -e "\033[1;33mWARNING!!!: Not enough CPUS available for Docker.\e[0m" echo "At least 2 CPUs recommended. You have $${cpus_available}" echo warning_resources="true" fi if (( disk_available < one_meg 10 )); then echo echo -e "\033[1;33mWARNING!!!: Not enough Disk space available for Docker.\e[0m" echo "At least 10 GBs recommended. You have $$(numfmt --to iec $$((disk_available 1024 )))" echo warning_resources="true" fi if [[ $${warning_resources} == "true" ]]; then echo echo -e "\033[1;33mWARNING!!!: You have not enough resources to run Airflow (see above)!\e[0m" echo "Please follow the instructions to increase amount of resources available:" echo " https://airflow.apache.org/docs/apache-airflow/stable/howto/docker-compose/index.html#before-you-begin" echo fi mkdir -p /sources/logs /sources/dags /sources/plugins chown -R "${AIRFLOW_UID}:0" /sources/{logs,dags,plugins} exec /entrypoint airflow version

  yamllint enable rule:line-length

  environment: <<: *airflow-common-env _AIRFLOW_DB_UPGRADE: 'true' _AIRFLOW_WWW_USER_CREATE: 'true' _AIRFLOW_WWW_USER_USERNAME: ${_AIRFLOW_WWW_USER_USERNAME:-airflow} _AIRFLOW_WWW_USER_PASSWORD: ${_AIRFLOW_WWW_USER_PASSWORD:-airflow} _PIP_ADDITIONAL_REQUIREMENTS: '' user: "0:0" volumes:

• .:/sources

  airflow-cli: <<: *airflow-common profiles:

• debug environment: <<: *airflow-common-env CONNECTION_CHECK_MAX_COUNT: "0"

  Workaround for entrypoint issue. See: https://github.com/apache/airflow/issues/16252

  command:

• bash
• -c

• airflow

  You can enable flower by adding "--profile flower" option e.g. docker-compose --profile flower up

  or by explicitly targeted on the command line e.g. docker-compose up flower.

  See: https://docs.docker.com/compose/profiles/

  flower: <<: *airflow-common command: celery flower profiles:

• flower ports:
• 5555:5555 healthcheck: test: ["CMD", "curl", "--fail", "http://localhost:5555/"] interval: 10s timeout: 10s retries: 5 restart: always depends_on: <<: *airflow-common-depends-on airflow-init: condition: service_completed_successfully

volumes: postgres-db-volume:

Anything else

我新建了一个custom_sso_security_manager.py,内容如下

import logging from airflow.www.security import AirflowSecurityManager

class CustomSsoSecurityManager(AirflowSecurityManager):

def oauth_user_info(self, provider, response=None):
    logging.debug("Oauth2 provider------------------------------------------: {0}.".format(provider))
    if provider == 'hangyeyun':
        # 请求获取用户信息接口
        me = self.appbuilder.sm.oauth_remotes[provider].get('oidc/me').json()
        logging.debug("user_data=========================================================: {0}".format(me))
        return {
          # 姓名
          'name': me['name'],
          # 邮箱（注意，email 不能为空）
          'email': me['email'],
          # 用户名（注意，username 不能为空）
          'username': me['username'],
          # 姓
          'first_name': me['given_name'],
          # 名
          'last_name': me['family_name'],
          # 角色，但是目前没有作用，可参考 https://github.com/apache/airflow/issues/15601
          'role_keys': me['roles']
        }

还配置了webserver_config.py内容如下； #

Licensed to the Apache Software Foundation (ASF) under one

or more contributor license agreements. See the NOTICE file

distributed with this work for additional information

regarding copyright ownership. The ASF licenses this file

to you under the Apache License, Version 2.0 (the

"License"); you may not use this file except in compliance

with the License. You may obtain a copy of the License at

#

http://www.apache.org/licenses/LICENSE-2.0

#

Unless required by applicable law or agreed to in writing,

software distributed under the License is distributed on an

"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the

specific language governing permissions and limitations

under the License.

"""Default configuration for the Airflow webserver""" import os import sys

sys.path.append(os.getcwd())

from airflow.www.fab_security.manager import AUTH_DB

from airflow.www.fab_security.manager import AUTH_LDAP

from airflow.www.fab_security.manager import AUTH_OAUTH

from airflow.www.fab_security.manager import AUTH_OID

from airflow.www.fab_security.manager import AUTH_REMOTE_USER

basedir = os.path.abspath(os.path.dirname(file))

Flask-WTF flag for CSRF

WTF_CSRF_ENABLED = True

----------------------------------------------------

AUTHENTICATION CONFIG

----------------------------------------------------

For details on how to set up each of the following authentication, see

http://flask-appbuilder.readthedocs.io/en/latest/security.html# authentication-methods

for details.

The authentication type

AUTH_OID : Is for OpenID

AUTH_DB : Is for database

AUTH_LDAP : Is for LDAP

AUTH_REMOTE_USER : Is for using REMOTE_USER from web server

AUTH_OAUTH : Is for OAuth

AUTH_TYPE = AUTH_OAUTH

引入自定义的 SecurityManager 包

FAB_SECURITY_MANAGER_CLASS='custom_sso_security_manager.CustomSsoSecurityManager'

Uncomment to setup Full admin role name

AUTH_ROLE_ADMIN = 'Admin'

Uncomment to setup Public role name, no authentication needed

AUTH_ROLE_PUBLIC = 'Public'

Will allow user self registration

AUTH_USER_REGISTRATION = True

The recaptcha it's automatically enabled for user self registration is active and the keys are necessary

RECAPTCHA_PRIVATE_KEY = PRIVATE_KEY

RECAPTCHA_PUBLIC_KEY = PUBLIC_KEY

Config for Flask-Mail necessary for user self registration

MAIL_SERVER = 'smtp.gmail.com'

MAIL_USE_TLS = True

MAIL_USERNAME = 'yourappemail@gmail.com'

MAIL_PASSWORD = 'passwordformail'

MAIL_DEFAULT_SENDER = 'sender@gmail.com'

The default user self registration role

AUTH_USER_REGISTRATION_ROLE = "Public"

When using OAuth Auth, uncomment to setup provider(s) info

Google OAuth example:

OAUTH_PROVIDERS = [{

'name':'google',

'token_key':'access_token',

'icon':'fa-google',

'remote_app': {

'api_base_url':'https://www.googleapis.com/oauth2/v2/',

'client_kwargs':{

'scope': 'email profile'

},

'access_token_url':'https://accounts.google.com/o/oauth2/token',

'authorize_url':'https://accounts.google.com/o/oauth2/auth',

'request_token_url': None,

'client_id': GOOGLE_KEY,

'client_secret': GOOGLE_SECRET_KEY,

}

}]

OAUTH_PROVIDERS = [{ 'name':'hangyeyun', 'token_key':'access_token',

图标可以从 https://fontawesome.com/ 找

'icon':'fa-google',
    'remote_app': {
        # Client Id 从 Authing 应用详情复制
        'client_id': 'testairflow',
        # Client Secret 从 Authing 应用详情复制
        'client_secret': '123456',
        # Api Base URL 从 Authing 应用详情复制
        'api_base_url':'http://我的域名/api/auth/oidc/userinfo',
        # Access Token URL 从 Authing 应用详情复制
        'access_token_url':'http://我的域名/api/auth/oidc/token',
        # Authorize URL 从 Authing 应用详情复制
        'authorize_url':'http://我的域名/api/auth/oidc/login',
        'request_token_url': None,
        'client_kwargs':{
            'scope': '*'
        }
    }

}]

When using LDAP Auth, setup the ldap server

AUTH_LDAP_SERVER = "ldap://ldapserver.new"

When using OpenID Auth, uncomment to setup OpenID providers.

example for OpenID authentication

OPENID_PROVIDERS = [

{ 'name': 'Yahoo', 'url': 'https://me.yahoo.com' },

{ 'name': 'AOL', 'url': 'http://openid.aol.com/' },

{ 'name': 'Flickr', 'url': 'http://www.flickr.com/' },

{ 'name': 'MyOpenID', 'url': 'https://www.myopenid.com' }]

----------------------------------------------------

Theme CONFIG

----------------------------------------------------

Flask App Builder comes up with a number of predefined themes

that you can use for Apache Airflow.

http://flask-appbuilder.readthedocs.io/en/latest/customizing.html#changing-themes

Please make sure to remove "navbar_color" configuration from airflow.cfg

in order to fully utilize the theme. (or use that property in conjunction with theme)

APP_THEME = "bootstrap-theme.css" # default bootstrap

APP_THEME = "amelia.css"

APP_THEME = "cerulean.css"

APP_THEME = "cosmo.css"

APP_THEME = "cyborg.css"

APP_THEME = "darkly.css"

APP_THEME = "flatly.css"

APP_THEME = "journal.css"

APP_THEME = "lumen.css"

APP_THEME = "paper.css"

APP_THEME = "readable.css"

APP_THEME = "sandstone.css"

APP_THEME = "simplex.css"

APP_THEME = "slate.css"

APP_THEME = "solar.css"

APP_THEME = "spacelab.css"

APP_THEME = "superhero.css"

APP_THEME = "united.css"

APP_THEME = "yeti.css"

Are you willing to submit PR?

• [X] Yes I am willing to submit a PR!

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[iRecursion]

github评论支持markdown语言功能来美化，

```language
```

如
```json
```

```shell
```

```Dockerfile
```

```yaml
```

……

"""default configuration for the Airflow webserver"""
import os
import sys

sys.path.append(os.getcwd())

from airflow.www.fab_security.manager import AUTH_DB

[potiuk]

Closing. Can you please write your problem in English ? This is an official communication language we have here, I am afraid.