zeqk · March 5, 2025 17:09 · Nov 7, 2023 · May 11, 2023 · May 11, 2023 · May 11, 2023
diff --git a/apache_airflow_sso_howto.md b/apache_airflow_sso_howto.md
@@ -67,7 +67,9 @@ class AzureCustomSecurity(AirflowSecurityManager, LoggingMixin):
             "role_keys": me["roles"]
         }
 
+# the first of these two appears to work with older Airflow versions, the latter newer.
 FAB_SECURITY_MANAGER_CLASS = 'webserver_config.AzureCustomSecurity'
+SECURITY_MANAGER_CLASS = AzureCustomSecurity
 ```
 
 The above assumes environment variables are configured for the OAuth client secret, etc - and has been tested thoroughly and confirmed working.

diff --git a/README.md → apache_airflow_sso_howto.md b/README.md → apache_airflow_sso_howto.md
diff --git a/README.md b/README.md
@@ -0,0 +1,75 @@
+The following instructions for enabling Azure SSO for Apache Airflow nearly take you all the way - but fall short a couple of details around the configuration of airflow itself:
+
+https://objectpartners.com/2021/12/24/enterprise-auth-for-airflow-azure-ad
+
+All the "Azure" instructions there can be safely followed - the resulting `webserver_config.py` (which can be injected into a dockerised Airflow in `/opt/airflow/webserver_config.py`) can be built from the following:
+
+```
+from __future__ import annotations
+
+import os
+
+from airflow.www.fab_security.manager import AUTH_OAUTH
+from airflow.www.security import AirflowSecurityManager
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+basedir = os.path.abspath(os.path.dirname(__file__))
+
+# Flask-WTF flag for CSRF
+WTF_CSRF_ENABLED = True
+WTF_CSRF_TIME_LIMIT = None
+
+AUTH_TYPE = AUTH_OAUTH
+
+OAUTH_PROVIDERS = [{
+    'name':'Microsoft Azure AD',
+    'token_key':'access_token',
+    'icon':'fa-windows',
+    'remote_app': {
+        'api_base_url': "https://login.microsoftonline.com/{}".format(os.getenv("AAD_TENANT_ID")),
+        'request_token_url': None,
+        'request_token_params': {
+            'scope': 'openid email profile'
+        },
+        'access_token_url': "https://login.microsoftonline.com/{}/oauth2/v2.0/token".format(os.getenv("AAD_TENANT_ID")),
+        "access_token_params": {
+            'scope': 'openid email profile'
+        },
+        'authorize_url': "https://login.microsoftonline.com/{}/oauth2/v2.0/authorize".format(os.getenv("AAD_TENANT_ID")),
+        "authorize_params": {
+            'scope': 'openid email profile'
+        },
+        'client_id': os.getenv("AAD_CLIENT_ID"),
+        'client_secret': os.getenv("AAD_CLIENT_SECRET"),
+        'jwks_uri': 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
+    }
+}]
+
+AUTH_USER_REGISTRATION_ROLE = "Public"
+AUTH_USER_REGISTRATION = True
+AUTH_ROLES_SYNC_AT_LOGIN = True
+AUTH_ROLES_MAPPING = {
+    "airflow_prod_admin": ["Admin"],
+    "airflow_prod_user": ["Op"],
+    "airflow_prod_viewer": ["Viewer"]
+}
+
+class AzureCustomSecurity(AirflowSecurityManager, LoggingMixin):
+    def get_oauth_user_info(self, provider, response=None):
+        me = self._azure_jwt_token_parse(response["id_token"])
+        return {
+            "name": me["name"],
+            "email": me["email"],
+            "first_name": me["given_name"],
+            "last_name": me["family_name"],
+            "id": me["oid"],
+            "username": me["preferred_username"],
+            "role_keys": me["roles"]
+        }
+
+FAB_SECURITY_MANAGER_CLASS = 'webserver_config.AzureCustomSecurity'
+```
+
+The above assumes environment variables are configured for the OAuth client secret, etc - and has been tested thoroughly and confirmed working.
+
+Note the roles need to match what you configured in Azure (the example above is using `airflow_prod_user` etc, in deviation to the linked article above).
No results found