a34lj (a34lj) asked a question.
I try to setup airflow cluster to use Okta as authentication server.
my client_secrets.json file:
{
"web": {
"client_id": "{{ CLIENT_ID }}",
"client_secret": "{{ CLIENT_SECRET }}",
"auth_uri": "https://{{ ORG_NAME }}.okta.com/oauth2/default/v1/authorize",
"token_uri": "https://{{ ORG_NAME }}.okta.com/oauth2/default/v1/token",
"issuer": "https://{{ ORG_NAME }}.okta.com/oauth2/default",
"userinfo_uri": "https://{{ ORG_NAME }}.okta.com/oauth2/default/userinfo",
"redirect_uris": [
"http://localhost:8080/oidc/callback"
]
}
}
my airflow webserver_config.py file
SECURITY_MANAGER_CLASS = AirflowOIDCSecurityManager
OIDC_CLIENT_SECRETS = './airflow/client_secrets.json'
OIDC_COOKIE_SECURE = False
OIDC_USER_INFO_ENABLED = True
OIDC_CALLBACK_ROUTE = "/oidc/callback"
OIDC_SCOPES = ["openid", "profile", "email"]
OIDC_ID_TOKEN_COOKIE_NAME = "oidc_token"
OIDC_CLOCK_SKEW: 560
OIDC_RESOURCE_CHECK_AUD: True
OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
setting the OIDC environment field to retrieve the custom field from okta
$ export USERNAME_OIDC_FIELD="preferred_username"
$ export FIRST_NAME_OIDC_FIELD="given_name"
$ export LAST_NAME_OIDC_FIELD="name"
start airflow webserver
$ airflow webserver -p 8080
However, after login via Okta, It redirects to airflow url and returns error
airflow webserver log:
ERROR - Error adding new user to database. (sqlite3.IntegrityError) NOT NULL constraint failed: ab_user.first_name
[SQL: INSERT INTO ab_user (first_name, last_name, username, password, active, email, last_login, login_count, fail_login_count, created_on, changed_on, created_by_fk, changed_by_fk) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]
[parameters: (None, 'Calvin P', 'calvin@orgx.com', 'pbkdf2:sha256:150000$WJD65iwu$aa4b0deea85e841467441cc18ab8d007a22621af4bee1c2e8f0653467af434f0', 1, 'calvin@orgx.com', None, None, None, '2020-07-27 23:16:50.722603', '2020-07-27 23:16:50.722867', None, None)]
(Background on this error at: http://sqlalche.me/e/gkpj)
If I understand it correctly, export LAST_NAME_OIDC_FIELD="name" is worked correctly, but FIRST_NAME_OIDC_FIELD="given_name" returns None
May I know How can I fix this issue?
Expectation result:
- able to retrieve the family_name and given_name from Okta to be able to create the users properly in airflow.
Can you try to add custom claims in the token ? Use user.firstname & user.givenName, user.familyName. That should work. I have tested this I am able to get it in the token.
anyway, I tried to add custom claims but I am still unable to get it in the token (not sure I did it correctly)
I added the custom claims as the screenshot.
then set the environment value
export FIRST_NAME_OIDC_FIELD="givenName"
first_name field still returns None after logging in on airflow log
Thanks @sandeepk.84743 (Wipro Technologies) for the quick reply.
I think Okta returns firstname and givenName when we try to request with profile scope.
However, these fields are set alwaysIncludeInToken: false.
only name, preferred_username are enabled by default.
Can we set alwaysIncludeInToken: true for given_name and family_name? or we have to add the custom claims for it?
Hi Calvin,
Try to change the custom claim to appuser.givenName, appuser.familyName. in the custom claim. sorry for the confusion earlier.
Secondly, to answer your question, we have to add the custom claim for this. It is not included by default.
When I tried to add given_name or family_name as custom claims I got the following:
How can we make it so the defined given_name and family_name are included in the Profile scope as they are supposed to be based on the OpenID standard?
Sorry, getting the screen capture uploaded correctly.
I believe the given_name is defined and you cannot create a custom claim by the same name.
Should use another.
FYI, I am unable to retrieve the custom claims as Sandeep's instruction. So I gave up and escalated it to another team who managed OKTA integration.