Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Logout the user when the token expires#60781

Merged
vincbeck merged 1 commit intoapache:mainfrom
aws-mwaa:vincbeck/keycloak_refresh
Jan 20, 2026
Merged

Logout the user when the token expires#60781
vincbeck merged 1 commit intoapache:mainfrom
aws-mwaa:vincbeck/keycloak_refresh

Conversation

Copy link
Contributor

vincbeck commented Jan 19, 2026 *
edited
Loading

Resolves #59359

There are 2 scenarios:

  • If the Airflow JWT token is expired, then we should log out the user
  • With Keycloak auth manager, if the refresh token is expired, then we should also log out the user.

In both cases, the user as a invalid token and is should no longer be considered as logged-in.

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

vincbeck requested a review from bugraoz93 as a code owner January 19, 2026 14:51
boring-cyborg bot added area:API Airflow's REST/HTTP API area:providers provider:keycloak labels Jan 19, 2026
pierrejeambrun approved these changes Jan 19, 2026
Copy link
Member

ashb commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

ashb reviewed Jan 19, 2026
vincbeck force-pushed the vincbeck/keycloak_refresh branch from f60fe20 to d00ba97 Compare January 19, 2026 16:39
ashb reviewed Jan 19, 2026
Copy link
Contributor Author

vincbeck commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

Yep

vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 48a3a80 to ec29c5c Compare January 19, 2026 17:00
vincbeck requested a review from ashb January 19, 2026 17:00
vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 4cbbcc7 to ef1bb98 Compare January 19, 2026 18:10
Copy link
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

Copy link
Contributor

bugraoz93 commented Jan 19, 2026 *
edited
Loading

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

It defaults to configuration for both execution and public api have different values. So admins should be able to change according to their security concerns and user behavior
For public api, it is 86400s.


For execution api,

Copy link
Contributor Author

vincbeck commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

bugraoz93 approved these changes Jan 19, 2026
Copy link
Contributor

bugraoz93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Vincent!

Copy link
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

Ah! that's great! This makes sense

dheerajturaga approved these changes Jan 19, 2026
vincbeck force-pushed the vincbeck/keycloak_refresh branch from ef1bb98 to e58ab2f Compare January 19, 2026 19:10
dheerajturaga self-requested a review January 19, 2026 19:12
dheerajturaga approved these changes Jan 19, 2026
vincbeck merged commit 9f0099f into apache:main Jan 20, 2026
128 checks passed
vincbeck deleted the vincbeck/keycloak_refresh branch January 20, 2026 15:22
vincbeck added a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Jan 21, 2026
vincbeck added a commit that referenced this pull request Jan 21, 2026
jason810496 pushed a commit to jason810496/airflow that referenced this pull request Jan 22, 2026
amoghrajesh pushed a commit to astronomer/airflow that referenced this pull request Jan 22, 2026
suii2210 pushed a commit to suii2210/airflow that referenced this pull request Jan 26, 2026
vincbeck mentioned this pull request Jan 28, 2026
85 tasks
shreyas-dev pushed a commit to shreyas-dev/airflow that referenced this pull request Jan 29, 2026
ephraimbuddy mentioned this pull request Jan 30, 2026
86 tasks
jhgoebbert pushed a commit to jhgoebbert/airflow_Owen-CH-Leung that referenced this pull request Feb 8, 2026
choo121600 pushed a commit to choo121600/airflow that referenced this pull request Feb 22, 2026
Subham-KRLX pushed a commit to Subham-KRLX/airflow that referenced this pull request Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

bugraoz93 bugraoz93 approved these changes

pierrejeambrun pierrejeambrun approved these changes

dheerajturaga dheerajturaga approved these changes

ashb Awaiting requested review from ashb

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Internal Server Error in Airflow API server with Keycloak provider when token is not active

5 participants