Skip to content

Unable to configure DAG-level RBAC with Keycloak Auth Manager: Missing dag_id in context #61137

Closed
#61283
Closed
Unable to configure DAG-level RBAC with Keycloak Auth Manager: Missing dag_id in context#61137
#61283
Labels
area:autharea:providerskind:bugThis is a clearly a bugprovider:keycloak
@ddroessler-ext

Description

@ddroessler-ext
ddroessler-ext
opened on Jan 27, 2026

Apache Airflow Provider(s)

keycloak

Versions of Apache Airflow Providers

apache-airflow-providers-keycloak==0.5.0
python-keycloak==7.0.1

Apache Airflow version

3.1.6

Operating System

openSUSE Tumbleweed

Deployment

Virtualenv installation

Deployment details

  • Keycloak
    • Start Keycloak 23.0.6 via breeze keycloak integration
    • Create permissions, scopes & resources via airflow keycloak-auth-manager create-all
    • Configure user, admin role and role assignment in Keycloak admin UI
  • Airflow

    • Airflow 3.1.6 + keycloak auth manager 0.5.0 are installed in separate venv via pip:

      pip install "apache-airflow[celery,keycloak]==3.1.6" --constraint  "https://raw.githubusercontent.com/apache/airflow/constraints-3.1.6/constraints-3.12.txt"
pip install apache-airflow-providers-keycloak==0.5.0

    • Only changes to default airflow.cfg are those required for keycloak_auth_manager:

      [core]
auth_manager = airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager
[keycloak_auth_manager]
client_id = airflow
client_secret = [REDACTED]
realm = airflow
server_url = http://localhost:48080

What happened

Following request is sent to Keycloak by the Keycloak auth manager (captured via Wireshark):
POST /realms/airflow/protocol/openid-connect/token HTTP/1.1 (application/x-www-form-urlencoded)
Form data:

grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
audience=airflow
permission=Dag#GET
context=attributes

Note the literal context=attributes in the form data.

When checking on Keycloak side, only the default context attributes are available to JavaScript-based policies:

ctx.attr[kc.realm.name] = [airflow]
ctx.attr[kc.client.user_agent] = [python-requests/2.32.5]
ctx.attr[kc.client.network.ip_address] = [172.18.0.1]
ctx.attr[kc.client.network.host] = [172.18.0.1]
ctx.attr[kc.client.id] = [airflow]
ctx.attr[kc.time.date_time] = [2026-01-27 14:46:36]

What you think should happen instead

Context attributes like dag_id should be sent to Keycloak instead "context=attributes"

How to reproduce

  1. Start configured Airflow & Keycloak (e.g., via breeze)
  2. Ensure official example dags are loaded (load_examples = True in airflow.cfg [core] section)
  3. Start network capture (e.g., Wireshark)
  4. Login to Airflow through Keycloak
  5. Open /dags/asset_produces_1 to produce a GET /api/v2/dags/asset_produces_1 request
  6. Observe POST /realms/airflow/protocol/openid-connect/token with form data: 
    grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
audience=airflow
permission=Dag#GET
context=attributes

Anything else

Maybe related to #51486?

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:autharea:providerskind:bugThis is a clearly a bugprovider:keycloak

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions