Flask-AppBuilder
Flask-AppBuilder copied to clipboard
dpgaspar
OAUTH : Gitlab - The redirect URI included is not valid
Environment
Flask-Appbuilder version:
Flask 1.1.2
Flask-AppBuilder 3.4.4
Flask-Babel 2.0.0
Flask-Caching 1.10.1
Flask-JWT-Extended 3.25.1
Flask-Login 0.4.1
Flask-OpenID 1.3.0
Flask-Session 0.4.0
Flask-SQLAlchemy 2.5.1
Flask-WTF 0.14.3
pip freeze output:
alembic==1.7.6
amqp==5.0.9
anyio==3.5.0
apache-airflow==2.2.4
apache-airflow-providers-celery==2.1.0
apache-airflow-providers-ftp==2.0.1
apache-airflow-providers-http==2.0.3
apache-airflow-providers-imap==2.2.0
apache-airflow-providers-postgres==3.0.0
apache-airflow-providers-sqlite==2.1.0
apispec==3.3.2
argcomplete==1.12.3
attrs==20.3.0
Authlib==0.15.5
aws-cfn-bootstrap==2.0
Babel==2.9.1
billiard==3.6.4.0
blinker==1.4
boto3==1.21.7
botocore==1.24.7
cached-property==1.5.2
cachelib==0.6.0
cattrs==1.10.0
celery==5.2.3
certifi==2020.12.5
cffi==1.15.0
charset-normalizer==2.0.12
click==8.0.3
click-didyoumean==0.3.0
click-plugins==1.1.1
click-repl==0.2.0
clickclick==20.10.2
cloudpickle==1.4.1
colorama==0.4.4
colorlog==4.8.0
commonmark==0.9.1
connexion==2.11.1
croniter==1.3.4
cryptography==3.4.8
dask==2021.6.0
defusedxml==0.7.1
Deprecated==1.2.13
dill==0.3.1.1
distributed==2.19.0
dnspython==2.2.0
docutils==0.16
email-validator==1.1.3
eventlet==0.33.0
Flask==1.1.2
Flask-AppBuilder==3.4.4
Flask-Babel==2.0.0
Flask-Caching==1.10.1
Flask-JWT-Extended==3.25.1
Flask-Login==0.4.1
Flask-OpenID==1.3.0
Flask-Session==0.4.0
Flask-SQLAlchemy==2.5.1
Flask-WTF==0.14.3
flower==1.0.0
fsspec==2022.1.0
gevent==21.12.0
graphviz==0.19.1
greenlet==1.1.2
gunicorn==20.1.0
h11==0.12.0
HeapDict==1.0.1
httpcore==0.14.7
httpx==0.22.0
humanize==4.0.0
idna==3.3
importlib-metadata==4.11.1
importlib-resources==5.4.0
inflection==0.5.1
iso8601==1.0.2
isodate==0.6.1
itsdangerous==1.1.0
Jinja2==3.0.3
jmespath==0.10.0
jsonschema==3.2.0
kombu==5.2.3
lazy-object-proxy==1.4.3
locket==0.2.1
lockfile==0.12.2
Mako==1.1.6
Markdown==3.3.6
MarkupSafe==2.0.1
marshmallow==3.14.1
marshmallow-enum==1.5.1
marshmallow-oneofschema==3.0.1
marshmallow-sqlalchemy==0.26.1
msgpack==1.0.3
numpy==1.20.3
openapi-schema-validator==0.1.6
openapi-spec-validator==0.3.3
packaging==21.3
pandas==1.3.5
partd==1.2.0
pendulum==2.1.2
prison==0.2.1
prometheus-client==0.13.1
prompt-toolkit==3.0.28
psutil==5.9.0
psycopg2-binary==2.9.3
pycparser==2.21
Pygments==2.11.2
PyJWT==1.7.1
pyparsing==2.4.7
pyrsistent==0.16.1
pystache==0.5.4
python-daemon==2.3.0
python-dateutil==2.8.2
python-nvd3==0.15.0
python-slugify==4.0.1
python3-openid==3.2.0
pytz==2021.3
pytzdata==2020.1
PyYAML==5.4.1
requests==2.27.1
rfc3986==1.5.0
rich==11.2.0
s3transfer==0.5.2
sentry-sdk==1.5.5
setproctitle==1.2.2
simplejson==3.2.0
six==1.16.0
sniffio==1.2.0
sortedcontainers==2.4.0
SQLAlchemy==1.3.24
SQLAlchemy-JSONField==1.0.0
SQLAlchemy-Utils==0.38.2
statsd==3.3.0
swagger-ui-bundle==0.0.9
tabulate==0.8.9
tblib==1.7.0
tenacity==8.0.1
termcolor==1.1.0
text-unidecode==1.3
toolz==0.11.2
tornado==6.1
typing-extensions==3.10.0.2
unicodecsv==0.14.1
urllib3==1.26.8
vine==5.0.0
wcwidth==0.2.5
Werkzeug==1.0.1
wrapt==1.13.3
WTForms==2.3.3
zict==2.0.0
zipp==3.7.0
zope.event==4.5.0
zope.interface==5.4.0
Describe the expected results
Apache Airflow uses FAB for UI & authentication, in my use case i'm trying to use OAUTH with my Gitlab instance (Gitlab CE). https://airflow.apache.org/docs/apache-airflow/2.2.4/security/webserver.html
My Airflow instance is behind an AWS ALB, alb configuration forward request to my airflow instance : no issue with this point
My Gitlab instance should be the authentication reference
Describe the actual results
When i try to connect with the OAUTH button, an error occurs ....
"Sign up with" -> An error has occurred "The redirect URI included is not valid."
[DEBUG] webserver log :
x.x.x.x - - [28/Feb/2022:17:16:05 +0000] "GET /health HTTP/1.1" 200 159 "-" "ELB-HealthChecker/2.0"
x.x.x.x - - [28/Feb/2022:17:16:05 +0000] "GET /health HTTP/1.1" 200 159 "-" "ELB-HealthChecker/2.0"
[2022-02-28 17:16:16,146] {views.py:615} DEBUG - Provider: None
[2022-02-28 17:16:16,146] {views.py:615} DEBUG - Provider: None
x.x.x.x - - [28/Feb/2022:17:16:16 +0000] "GET /login/ HTTP/1.1" 200 16179 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36"
[2022-02-28 17:16:20,830] {views.py:615} DEBUG - Provider: gitlab
[2022-02-28 17:16:20,830] {views.py:615} DEBUG - Provider: gitlab
[2022-02-28 17:16:20,831] {views.py:628} DEBUG - Going to call authorize for: gitlab
[2022-02-28 17:16:20,831] {views.py:628} DEBUG - Going to call authorize for: gitlab
x.x.x.x - - [28/Feb/2022:17:16:20 +0000] "GET /login/gitlab?next= HTTP/1.1" 302 915 "https://airflow.mydomain/login/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36"
x.x.x.x - - [28/Feb/2022:17:16:30 +0000] "GET /health HTTP/1.1" 200 159 "-" "ELB-HealthChecker/2.0"
I checked the redirect URL, the URI used is : https://gitlab.mydomain.abc/oauth/authorize?response_type=code&client_id=1cxxxxxxx0fa9a2&redirect_uri=https://airflow.mydomain.abc/oauth-authorized/gitlab&scope=read_user&state=eyxxxxxx.eyzzzzzzzzzz
When I compare the URI with one of my services (Superset) currently using OAUTH with Gitlab, I see that the URL is different https://gitlab.mydomain.abc/oauth/authorize?response_type=code&client_id=xxxxxxxxxxx&redirect_uri=https://superset.mydomain.abc/oauth-authorized/gitlab&scope=read_user&state=eyXXXXXXXXX.eyXXXXXXXX.XXXXX-XXXXX-XXXXX_XXXXX-Y
Steps to reproduce
airflow.cfg :
proxy_fix_x_for = 1
proxy_fix_x_host = 3
...
rbac = True
webserver_config.py :
rbac = True
from airflow.www.fab_security.manager import AUTH_OAUTH
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Admin'
OAUTH_PROVIDERS = [{
'name':'gitlab',
'icon':'fa-gitlab',
'whitelist': ['@xxxxxxxx.com'],
'token_key': 'access_token',
'remote_app': {
'api_base_url':'https://gitlab.mydomain.abc/api/v4/',
'client_kwargs': {
'scope': 'read_user'
},
'access_token_url':'https://gitlab.mydomain.abc/oauth/token',
'authorize_url':'https://gitlab.mydomain.abs/oauth/authorize',
'request_token_url': None,
'client_id': 'xxxxxxxxx',
'client_secret': 'xxxxxxxxxxxxx',
}
}]
Related : https://github.com/apache/airflow/discussions/21850
