Airflow Keycloak provider redirect to HTTP instead of HTTPS

[atalakey4work]

Apache Airflow Provider(s)

keycloak

Versions of Apache Airflow Providers

apache-airflow-providers-keycloak 0.5.0

Apache Airflow version

3.0.2

Operating System

Official container image "apache/airflow:3.0.2"

Deployment

Official Apache Airflow Helm Chart

Deployment details

Below is my current values.yaml:

ingress:
  apiServer:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - name: airflow.REDACTED
      tls:
        enabled: true
        secretName: airflow.REDACTED
    ingressClassName: nginx

env:
  - name: _PIP_ADDITIONAL_REQUIREMENTS
    value: apache-airflow-providers-keycloak==0.5.0

config:
  core:
    auth_manager: airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager
  api:
    base_url: https://airflow.REDACTED
  keycloak_auth_manager:
    server_url: https://REDACTED/auth/ # (note: auth/ needed for backward compatibility)
    realm: REDACTED
    client_id: airflow
    client_secret: REDACTED

What happened

Airflow redirects to Keycloak with an HTTP redirect_url despite me seeting base_url: https://airflow.REDACTED:

https://REDACTED/auth/realms/REDACTED/protocol/openid-connect/auth?client_id=airflow&response_type=code&redirect_uri=http://airflow.REDACTED/auth/login_callback&scope=openid&state=&nonce=

What you think should happen instead

Airflow shoud set redirect_uri to https://airflow.REDACTED/auth/login_callback

How to reproduce

Deploy Airflow using Helm with the values shared

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[ecodina]

This happened to me as well when I first set up the Keycloak provider. The reason was not configuring Airflow properly to run behind a reverse proxy. You can find more info here: https://airflow.apache.org/docs/apache-airflow/stable/howto/run-behind-proxy.html

Hope it helps!

[arjav1528]

I can see that there is a redirect issue, may be we can handle this by configuring reverse proxy headers which will ensure that it passes the X-Forwarded-Proto, further we can set the FORWARDED_ALLOW_IPS if the proxy isn't on the same host
please do correct me if I am wrong

I'd like to work on this and submit a PR

[atalakey4work]

@ecodina I am running Airflow using the helm chart provided. I am exposing the API via ingress nginx and have setup the below annotations but still the redirect is set to http instead of https:

ingress:
  apiServer:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
      nginx.ingress.kubernetes.io/proxy-redirect-off: "true"
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        more_set_headers "Content-Security-Policy: frame-ancestors 'self';";

apiServer:
  args: ["bash", "-c", "exec airflow api-server --proxy-headers"]

[vincbeck]

I can see that there is a redirect issue, may be we can handle this by configuring reverse proxy headers which will ensure that it passes the X-Forwarded-Proto, further we can set the FORWARDED_ALLOW_IPS if the proxy isn't on the same host please do correct me if I am wrong

I'd like to work on this and submit a PR

Assigned to you @arjav1528