You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2020/11/04 10:38:17 UTC

[airflow] branch v1-10-stable updated: Fix Logout Google Auth issue in Non-RBAC UI (#11890)

This is an automated email from the ASF dual-hosted git repository.

kamilbregula pushed a commit to branch v1-10-stable
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v1-10-stable by this push:
     new 6dbed4b  Fix Logout Google Auth issue in Non-RBAC UI (#11890)
6dbed4b is described below

commit 6dbed4b38a85bd9e14fa54d8136f2f78bfde6859
Author: Victor Gea <vi...@gmail.com>
AuthorDate: Wed Nov 4 11:36:03 2020 +0100

    Fix Logout Google Auth issue in Non-RBAC UI (#11890)
---
 airflow/contrib/auth/backends/google_auth.py | 4 ++++
 docs/security.rst                            | 9 ++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/airflow/contrib/auth/backends/google_auth.py b/airflow/contrib/auth/backends/google_auth.py
index cf14677..5554e46 100644
--- a/airflow/contrib/auth/backends/google_auth.py
+++ b/airflow/contrib/auth/backends/google_auth.py
@@ -96,6 +96,10 @@ class GoogleAuthBackend(object):
             consumer_secret=get_config_param('client_secret'),
             request_token_params={'scope': [
                 'https://www.googleapis.com/auth/userinfo.profile',
+                'https://www.googleapis.com/auth/userinfo.email'],
+                'prompt': get_config_param('prompt')
+            } if get_config_param('prompt') else {'scope': [
+                'https://www.googleapis.com/auth/userinfo.profile',
                 'https://www.googleapis.com/auth/userinfo.email']},
             base_url='https://www.google.com/accounts/',
             request_token_url=None,
diff --git a/docs/security.rst b/docs/security.rst
index 3817c7f..b22dfc0 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -387,7 +387,13 @@ Google Authentication
 
 The Google authentication backend can be used to authenticate users
 against Google using OAuth2. You must specify the domains to restrict
-login, separated with a comma, to only members of those domains.
+login, separated with a comma, to only members of those domains. You
+also need to select an option for `user consent prompt behaviour <https://developers.google.com/identity/protocols/oauth2/web-server#userconsentprompt>`_, one of:
+
+consent: Prompt the user for consent.
+select_account: Prompt the user to select an account.
+none: Do not display any authentication or consent screens.
+'': the user will be prompted only the first time your project requests access
 
 .. code-block:: ini
 
@@ -400,6 +406,7 @@ login, separated with a comma, to only members of those domains.
     client_secret = google_client_secret
     oauth_callback_route = /oauth2callback
     domain = example1.com,example2.com
+    prompt = <One of : consent, select_account, none or ''>
 
 To use Google authentication, you must install Airflow with the ``google_auth`` extras group: