Airflow + Okta integration problem OAuth2.0

Question

I'm trying to authenticate to Airflow using Okta (our Idp) and OAuth2.0/OpenID. For this I used this as reference:

• https://tech.scribd.com/blog/2021/integrating-airflow-and-okta.html

• https://flask-appbuilder.readthedocs.io/en/latest/security.html

The problem is that after finishing all the configuration when I tried to log in using Okta I get the message "Invalid login. Please try again."

The only logs I see coming from Flask i suppose are like:

172.17.0.1 - - [06/Aug/2021:14:05:01 +0000] "GET /static/pin_32.png HTTP/1.1" 304 0 "http://localhost:8080/login/?next=http%3A%2F%2Flocalhost%3A8080%2Fhome" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

172.17.0.1 - - [06/Aug/2021:14:05:26 +0000] "GET /login/okta?next=http://localhost:8080/home HTTP/1.1" 302 985 "http://localhost:8080/login/?next=http%3A%2F%2Flocalhost%3A8080%2Fhome" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

172.17.0.1 - - [06/Aug/2021:14:05:41 +0000] "GET /oauth-authorized/okta?code=V3YfnQL9IQOIwJLWt1KdALrtRRYM1xtZBDxNP9exlp4&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuZXh0IjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9ob21lIl19.GbawEXaz1lpX1nOYuGyHHSstM9b-X36sghlhBoLuot0 HTTP/1.1" 302 221 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

172.17.0.1 - - [06/Aug/2021:14:05:41 +0000] "GET /login/ HTTP/1.1" 200 17174 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

I see nothing wrong there..

Configuration steps:

1. Configuring Okta:

Also the "Authorization server is the default one"

2. Complete the webserver_config.py

import os
from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{'name': 'okta', 'icon': 'fa-circle-o',
'token_key': 'access_token',
'remote_app': {
'client_id': '0oa1ceaw9cxc1rXhi5d7',
'client_secret': 'MY CLIENT SECRET',
'api_base_url': 'https://MY OKTA DOMAIN/oauth2/default/v1/',
'client_kwargs': {
'scope': 'openid profile email groups'
},
'access_token_url': 'https://MY OKTA DOMAIN/oauth2/default/v1/token',
'authorize_url': 'https://MY OKTA DOMAIN/oauth2/default/v1/authorize',
}
}
]

3. Create a Dockerfile:

 FROM apache/airflow
 enter code here`RUN pip install authlib   \
 && pip install flask-appbuilder==3.2.2 \
 && pip install sqlalchemy==1.3.18 \
 COPY ./webserver_config.py /opt/airflow/webserver_config.py

4.Build the image and run the airflow container:

#docker build -t airflowcustom .
#docker run -d -p 8080:8080 --name airflow airflowcustom webserver

I'm stuck here ... did anyone do this or experience a similar problem? Do you know what logs can I see and where? I don't see anything inside the airflow container.

Answer 1

Try adding these to your webserver_config.py

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'User' # Or any role that you want as default