Flask-AppBuilder: ERROR - Error returning OAuth user info

We are trying to use Okta Oauth for Airflow authentication, but we are unbale to login to the airlow applicaion

Environment

Flask-Appbuilder version: 3.2.2 Authlib : 0.15.5 Airflow Version: apache/airflow:2.1.0-python3.8

Describe the expected results

Okta OAuth should be able to authenticate and redirect to the Airflow home page

Describe the actual results:

Error log: “views.py: ERROR - Error returning OAuth user info: Expecting value: line 1 column 1 (char 0)” On Airlow login page : Invalid login. Please try again.

Steps to reproduce

We have the below code for authentication in webserver_config.py

import os
import logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)

from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_OAUTH

basedir = os.path.abspath(os.path.dirname(__file__))

# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
AUTH_ROLE_ADMIN = 'Admin'
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin" 
AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
{'name': 'okta', 'icon': 'fa-circle-o',
    'token_key': 'access_token',
    'remote_app': {
        'client_id': '--X--X--',
        'client_secret': '--X--X--',
        'server_metadata_url': 'https://<okta-url>/.well-known/openid-configuration',
        'api_base_url': 'https://<okta-url>/oauth2/v1',
        'client_kwargs': {
            'scope': 'openid profile email groups'
        },
        'access_token_url': 'https://<okta-url>/oauth2/v1/token',
        "userinfo_url": "https://<okta-url>/oauth2/default/userinfo",
        'authorize_url': 'https://<okta-url>/oauth2/v1/authorize',
        "redirect_uris": [
            "http://<URL>/",
            "http://<URL>/oidc/callback"
            ]
    }
}]

AUTH_ROLES_SYNC_AT_LOGIN = True
PERMANENT_SESSION_LIFETIME = 1800

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 3
Comments: 15 (1 by maintainers)

Most upvoted comments

I have found and fixed my issues using a custom security class.

Try and use self.log.debug() to log debug information.

SECURITY_MANAGER_CLASS = AzureCustomSecurity

class AzureCustomSecurity(AirflowSecurityManager, LoggingMixin):
          def get_oauth_user_info(self, provider, response=None):
              if provider == "azure":
                  self.log.debug("Azure response received : {0}".format(response))
                  id_token = response["id_token"]
                  self.log.debug(str(id_token))
                  me = self._azure_jwt_token_parse(id_token)
                  self.log.debug("Parse JWT token : {0}".format(me))
                  parsed_token = {
                      "name": me["name"],
                      "email": me["email"],
                      "first_name": me["given_name"],
                      "last_name": me["family_name"],
                      "id": me["oid"],
                      "username": me["preferred_username"],
                      "upn": me["oid"],
                      "role_keys": me["roles"],       
                  }
                  return parsed_token
              else:
                  return {}

alpeshv on Sep 1, 2023

@abhirhel7 @tinder-javiertrejo

To solve the error, put a “/” at the end of ‘api_base_url’ : 'api_base_url': 'https://<okta-url>/oauth2/v1/'

Because the code concat api_base_url with “userinfo” to make his call.

adrienyhuel on Mar 16, 2023

@halink0803 For google auth to work: api_base_url should be https://www.googleapis.com/oauth2/v2/. Notice the www. Otherwise it will return 404 causing the flow to break after token generation.

deepakpixel on Mar 1, 2024

I have a similar issue except with google Oauth on airflow 2.2.1. Except my error message is missing_token. i’ll try to open a issue for it today

jaimegm on Mar 21, 2022