boring-cyborg[bot]
commented
5 months ago Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
Apache Airflow version
2.9.0
If "Other Airflow 2 version" selected, which one?
No response
What happened?
After the update to airflow 2.9.0 the Oauth authentication with azure stopped working. The logs showing: Error returning OAuth user info: 'email' The login fails
After debugging tokens it seems that my account does not have a registered email.
The offending code is the following: https://github.com/apache/airflow/blob/04c2ab5be669550e4c4d1d004ed1fd1461e58f7e/airflow/providers/fab/auth_manager/security_manager/override.py#L2215
return { "email": me.get("upn", me["email"]), "first_name": me.get("given_name", ""), "last_name": me.get("family_name", ""), "username": me["oid"], "role_keys": me.get("roles", []), }What you think should happen instead?
The account should login with UPN registered as email
How to reproduce
Get an azure account without registered email address, set webserver config to: ` import os from flask_appbuilder.security.manager import AUTH_OAUTH AZURE_TENANT_ID = os.getenv('AZURE_TENANT_ID') AZURE_APPLICATION_ID = os.getenv('AZURE_APPLICATION_ID') AZURE_APPLICATION_SECRET = os.getenv('AZURE_APPLICATION_SECRET')
AUTH_TYPE = AUTH_OAUTH AUTH_ROLES_SYNC_AT_LOGIN = True AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Viewer"
AUTH_ROLES_MAPPING = { "Viewer": ["Viewer"], "User": ["User"], "Op": ["Op"], "Admin": ["Admin"], }
OAUTH_PROVIDERS = [ { "name": "azure", "icon": "fa-windows", "token_key": "access_token", "remote_app": { "client_id": AZURE_APPLICATION_ID, "client_secret": AZURE_APPLICATION_SECRET, "api_base_url": f"https://login.microsoftonline.com/{AZURE_TENANT_ID}/oauth2", "client_kwargs": { "scope": "User.read name preferred_username email profile upn openid", "resource": AZURE_APPLICATION_ID, "verify_signature": True }, "request_token_url": None, "access_token_url": f"https://login.microsoftonline.com/{AZURE_TENANT_ID}/oauth2/token", "authorize_url": f"https://login.microsoftonline.com/{AZURE_TENANT_ID}/oauth2/authorize", "jwks_uri": f"https://login.microsoftonline.com/{AZURE_TENANT_ID}/discovery/keys?appid={AZURE_APPLICATION_ID}" } } ] `
Operating System
Kubernetes Helm deployment
Versions of Apache Airflow Providers
apache-airflow-providers-amazon==8.19.0 apache-airflow-providers-apache-druid==3.9.0 apache-airflow-providers-apache-hive==7.0.1 apache-airflow-providers-apache-pig==4.3.0 apache-airflow-providers-apache-spark==4.7.1 apache-airflow-providers-celery==3.6.1 apache-airflow-providers-cncf-kubernetes==8.0.1 apache-airflow-providers-common-io==1.3.0 apache-airflow-providers-common-sql==1.11.1 apache-airflow-providers-databricks==6.2.0 apache-airflow-providers-docker==3.9.2 apache-airflow-providers-elasticsearch==5.3.3 apache-airflow-providers-fab==1.0.2 apache-airflow-providers-ftp==3.7.0 apache-airflow-providers-google==10.16.0 apache-airflow-providers-grpc==3.4.1 apache-airflow-providers-hashicorp==3.6.4 apache-airflow-providers-http==4.10.0 apache-airflow-providers-imap==3.5.0 apache-airflow-providers-jdbc==4.2.2 apache-airflow-providers-microsoft-azure==9.0.1 apache-airflow-providers-microsoft-mssql==3.6.1 apache-airflow-providers-mysql==5.5.4 apache-airflow-providers-odbc==4.4.1 apache-airflow-providers-openlineage==1.6.0 apache-airflow-providers-oracle==3.9.2 apache-airflow-providers-postgres==5.10.2 apache-airflow-providers-redis==3.3.1 apache-airflow-providers-samba==4.5.0 apache-airflow-providers-sendgrid==3.4.0 apache-airflow-providers-sftp==4.9.0 apache-airflow-providers-slack==8.6.1 apache-airflow-providers-smtp==1.6.1 apache-airflow-providers-snowflake==5.3.1 apache-airflow-providers-sqlite==3.7.1 apache-airflow-providers-ssh==3.10.1
Deployment
Official Apache Airflow Helm Chart
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
Code of Conduct