You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/04/05 19:05:39 UTC
[GitHub] [airflow] joshzana opened a new issue, #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
joshzana opened a new issue, #22761:
URL: https://github.com/apache/airflow/issues/22761
### Apache Airflow version
2.2.5 (latest released)
### What happened
We use the stock airflow-webserver docker image, configuring FAB to use Google OAuth. This works fine up to an including Airflow 2.2.4. When updating our DOCKERFILE to: `apache/airflow:2.2.5-python3.8`, and then attempting to log in to the web server, we get 'Invalid login. Please try again.`. The logs show the following error:
```
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
```
Airflow 2.2.5 included a FAB version bump: https://github.com/apache/airflow/commit/d4846e4137b84e86ff107da6e495579c143fe7bd
Which brought in a major version bump of Authlib:
```
docker run apache/airflow:2.2.4-python3.8 bash -c "pip freeze" | grep Authlib
Authlib==0.15.5
```
```
docker run apache/airflow:2.2.5-python3.8 bash -c "pip freeze" | grep Authlib
Authlib==1.0.0
```
There is a relevant bug in FAB https://github.com/dpgaspar/Flask-AppBuilder/issues/1821 which points at this same error string, root caused to the Authlib version bump.
### What you think should happen instead
OAuth login should continue to work as before in 2.2.4.
### How to reproduce
Have webserver_config point at OAuth:
```
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [
{
"name": "google",
"token_key": "access_token",
"icon": "fa-google",
"remote_app": {
"api_base_url": "https://www.googleapis.com/oauth2/v2/",
"client_kwargs": {"scope": "email profile"},
"access_token_url": "https://accounts.google.com/o/oauth2/token",
"authorize_url": "https://accounts.google.com/o/oauth2/auth",
"request_token_url": None,
"client_id": <snip>,
"client_secret": <snip>
},
}
]
```
Attempt to log in to the websever
### Operating System
ubuntu
### Versions of Apache Airflow Providers
_No response_
### Deployment
Docker-Compose
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] repl-mike-roest commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
repl-mike-roest commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090779286
@joshzana you probably need to pull the updated image. If you already had that tag cached it would just run on the existing image
```
docker pull apache/airflow:2.2.5-python3.8
❯ docker run apache/airflow:2.2.5-python3.8 bash -c "pip freeze" | grep Authlib
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Authlib==1.0.1
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090728797
The problem is not a lack of constraints, but the bug in 1.0.0 of Authlib that has been fixed today in 1.0.1
We've already updated the constraints for 2.2.5 to use authlib 1.0.1 earlier today and pushed the docker images to contain the fixed version.
Constraints of 2.2.5 airflow already contain the authlib 1.0.1 https://github.com/apache/airflow/tree/constraints-2.2.5
Closing the issue as resolved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] joshzana commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
joshzana commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090800856
@repl-mike-roest got it! Confirmed that I was looking at a stale image version. I was not aware that airflow was republishing docker images against the same tag as opposed to doing version bumps. That feels like it breaks repeatable builds and deployments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090840684
@joshzana - I believe you have wrong expectations about the image.
* Where do you get from that docker image is there for repeatable builds an deployment?
* Why do you think it is a requirement ?
* Is this stated anywhere?
* Where are your expectation coming from?
I'd really love to know that because if you make claims like that, they must come from some understanding that this is the case, and I believe we never, ever made claims that this is the case.
Airlfow images are purely convenience packages. They are "reference" images - see description here: https://airflow.apache.org/docs/docker-stack/index.html.
> The Apache Airflow image provided as convenience package is optimized for size, and it provides just a bare minimal set of the extras and dependencies installed and in most cases you want to either extend or customize the image. You can see all possible extras in [Reference for package extras](https://airflow.apache.org/docs/apache-airflow/stable/extra-packages-ref.html). The set of extras used in Airflow Production image are available in the [Dockerfile](https://github.com/apache/airflow/blob/2c6c7fdb2308de98e142618836bdf414df9768c8/Dockerfile#L37).
And if you want to have repeatable builds - you can easily do it. For example
https://airflow.apache.org/docs/docker-stack/build.html#build-images-in-security-restricted-environments explains how to do builds using downloaded dependencies and constraints if you want.
We even have an upcoming Changelog that explains it a bit better: https://github.com/apache/airflow/blob/main/docs/docker-stack/changelog.rst
> The Dockerfile does not strictly follow the [SemVer](https://semver.org/) approach of Apache Airflow when it comes to features and backwards compatibility. While Airflow code strictly follows it, the Dockerfile is really a way to give users a conveniently packaged Airflow using standard container approach, so occasionally there are some changes in the building process or in the entrypoint of the image that require slight adaptation of how it is used or built.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] joshzana commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
joshzana commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090771243
@potiuk thanks! Can you explain how this fix makes it into the official docker image for airflow web server?
If I run this:
```
docker run apache/airflow:2.2.5-python3.8 bash -c "pip freeze" | grep Authlib
Authlib==1.0.0
```
Doesn't that mean that the 2.2.5 image has the bad Authlib version baked in?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] repl-mike-roest commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
repl-mike-roest commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090380312
I've added a PR that pins the versions in setup.py to match the FAB constraints and the image builds and has 0.15.5 as expected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] joshzana commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
joshzana commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090848352
@potiuk - this was purely based on my own assumptions, not something that I found stated anywhere on the airflow side. I think that changelog entry is exactly the piece I was missing and I welcome the addition.
Thanks for taking the time to help me understand!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
potiuk closed issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
URL: https://github.com/apache/airflow/issues/22761
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] repl-mike-roest commented on issue #22761: Google OAuth regression in Airflow 2.2.5 with "Error returning OAuth user info: missing_token"
Posted by GitBox <gi...@apache.org>.
repl-mike-roest commented on issue #22761:
URL: https://github.com/apache/airflow/issues/22761#issuecomment-1090346493
We also ran into this and bumping authlib upto 1.0.1 also fixed it for us.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org