Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
See original GitHub issueApache Airflow version
2.2.5 (latest released)
What happened
We use the stock airflow-webserver docker image, configuring FAB to use Google OAuth. This works fine up to an including Airflow 2.2.4. When updating our DOCKERFILE to: apache/airflow:2.2.5-python3.8, and then attempting to log in to the web server, we get 'Invalid login. Please try again.`. The logs show the following error:
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
Airflow 2.2.5 included a FAB version bump: https://github.com/apache/airflow/commit/d4846e4137b84e86ff107da6e495579c143fe7bd
Which brought in a major version bump of Authlib:
docker run apache/airflow:2.2.4-python3.8 bash -c "pip freeze" | grep Authlib
Authlib==0.15.5
docker run apache/airflow:2.2.5-python3.8 bash -c "pip freeze" | grep Authlib
Authlib==1.0.0
There is a relevant bug in FAB https://github.com/dpgaspar/Flask-AppBuilder/issues/1821 which points at this same error string, root caused to the Authlib version bump.
Adding the following to my Dockerfile works around the problem:
RUN pip install "Authlib==0.15.5"
What you think should happen instead
OAuth login should continue to work as before in 2.2.4.
How to reproduce
Have webserver_config point at OAuth:
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name": "google",
"token_key": "access_token",
"icon": "fa-google",
"remote_app": {
"api_base_url": "https://www.googleapis.com/oauth2/v2/",
"client_kwargs": {"scope": "email profile"},
"access_token_url": "https://accounts.google.com/o/oauth2/token",
"authorize_url": "https://accounts.google.com/o/oauth2/auth",
"request_token_url": None,
"client_id": <snip>,
"client_secret": <snip>
},
}
]
Attempt to log in to the websever
Operating System
ubuntu
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project’s Code of Conduct
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The problem is not a lack of constraints, but the bug in 1.0.0 of Authlib that has been fixed today in 1.0.1
We’ve already updated the constraints for 2.2.5 to use authlib 1.0.1 earlier today and pushed the docker images to contain the fixed version.
Constraints of 2.2.5 airflow already contain the authlib 1.0.1 https://github.com/apache/airflow/tree/constraints-2.2.5
Closing the issue as resolved.
@potiuk - this was purely based on my own assumptions, not something that I found stated anywhere on the airflow side. I think that changelog entry is exactly the piece I was missing and I welcome the addition.
Thanks for taking the time to help me understand!