ERROR - Error returning OAuth user info

[iammsa]

We are trying to use Okta Oauth for Airflow authentication, but we are unbale to login to the airlow applicaion

Environment

Flask-Appbuilder version: 3.2.2
Authlib : 0.15.5
Airflow Version: apache/airflow:2.1.0-python3.8

Describe the expected results

Okta OAuth should be able to authenticate and redirect to the Airflow home page

Describe the actual results:

Error log: "views.py: ERROR - Error returning OAuth user info: Expecting value: line 1 column 1 (char 0)"
On Airlow login page : Invalid login. Please try again.

Steps to reproduce

We have the below code for authentication in webserver_config.py

import os
import logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)

from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_OAUTH

basedir = os.path.abspath(os.path.dirname(__file__))

# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
AUTH_ROLE_ADMIN = 'Admin'
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin" 
AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
{'name': 'okta', 'icon': 'fa-circle-o',
    'token_key': 'access_token',
    'remote_app': {
        'client_id': '--X--X--',
        'client_secret': '--X--X--',
        'server_metadata_url': 'https://<okta-url>/.well-known/openid-configuration',
        'api_base_url': 'https://<okta-url>/oauth2/v1',
        'client_kwargs': {
            'scope': 'openid profile email groups'
        },
        'access_token_url': 'https://<okta-url>/oauth2/v1/token',
        "userinfo_url": "https://<okta-url>/oauth2/default/userinfo",
        'authorize_url': 'https://<okta-url>/oauth2/v1/authorize',
        "redirect_uris": [
            "http://<URL>/",
            "http://<URL>/oidc/callback"
            ]
    }
}]

AUTH_ROLES_SYNC_AT_LOGIN = True
PERMANENT_SESSION_LIFETIME = 1800

[jaimegm]

I have a similar issue except with google Oauth on airflow 2.2.1. Except my error message is missing_token. i'll try to open a issue for it today

[sergiofteixeira]

rollback to authlib==0.15.5 and it fixes it for now

[iammsa]

rollback to authlib==0.15.5 and it fixes it for now

@sergiofteixeira : I am already using authlib==0.15.5 version, but it still doesn't work

[troyharvey]

Downgrading to 0.15.5 worked for us. But I opened an issue in authlib lepture/authlib#448

[abhikk30]

@troyharvey @sergiofteixeira I have the similar issue. Still getting below error
Error log: "views.py: ERROR - Error returning OAuth user info: Expecting value: line 1 column 1 (char 0)"

Can you please help on this?

[troyharvey]

@abhirhel7 We made two changes:

1. Upgrade to authlib==1.0.1
2. In Airflow webserver_config.py, we added remote_app.jwks_uri to OAUTH_PROVIDERS.

OAUTH_PROVIDERS = [
    {
        'name': 'okta',
        'icon': 'fa-circle-o',
        'token_key': 'access_token',
        'remote_app': {
            ...
            'jwks_uri': 'https://derp.okta.com/oauth2/v1/keys'
        }
    }
]

[abhikk30]

Thanks @troyharvey , Have done the changes and re-deployed, Still the same issue.
authlib==1.0.1
flask-appbuilder==3.2.2
sqlalchemy==1.3.18

Airflow Version: apache/airflow:2.1.0-python3.8

Over UI Saying Invalid login. Please try again.
And Log says:
022-05-23 19:51:04,746�[0m] {�[34mviews.py:�[0m693} ERROR�[0m - Error returning OAuth user info: Expecting value: line 1 column 1 (char 0)�

[tinder-javiertrejo]

@abhirhel7 Were you able to solve the issue? I'm facing the same problem in Airflow 2.5.0

[adrienyhuel]

@abhirhel7 @tinder-javiertrejo

To solve the error, put a "/" at the end of 'api_base_url' :
'api_base_url': 'https://<okta-url>/oauth2/v1/'

Because the code concat api_base_url with "userinfo" to make his call.

[halink0803]

I still get this problem.
Airflow==v2.5.3
authlib==1.2.0
flask-appbuilder=4.1.4

and the webserver_config:

from flask_appbuilder.security.manager import AUTH_OAUTH
        import os

        AUTH_TYPE = AUTH_OAUTH
        AUTH_ROLES_SYNC_AT_LOGIN = True  # Checks roles on every login
        AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB to register
        AUTH_ROLES_MAPPING = {
            "Viewer": ["Viewer"],
            "Admin": ["Admin"],
        }
        # If you wish, you can add multiple OAuth providers.
        OAUTH_PROVIDERS = [
            {
                "name": "google",
                "icon": "fa-google",
                "token_key": "access_token",
                "remote_app": {
                    "client_id": os.getenv("GOOGLE_KEY"),
                    "client_secret": os.getenv("GOOGLE_SECRET"),
                    "api_base_url": "https://googleapis.com/oauth2/v2/",
                    "client_kwargs": {"scope": "email profile"},
                    "access_token_url": "https://accounts.google.com/o/oauth2/token",
                    "authorize_url": "https://accounts.google.com/o/oauth2/auth",
                    "jwks_uri": "https://googleapis.com/oauth2/v3/certs",
                    "request_token_url": None,
                    "redirect_url": "/oauth-authorized/google",
                },
            },
        ] 

[alpeshv]

It seems like this is a common issue and no way to even debug. In my case I am not seeing any error in web server log. I am using azure auth and getting the same error.

[andrewzah]

Same issue here using keycloak to auth.

[alpeshv]

I have found and fixed my issues using a custom security class.

Try and use self.log.debug() to log debug information.

SECURITY_MANAGER_CLASS = AzureCustomSecurity

class AzureCustomSecurity(AirflowSecurityManager, LoggingMixin):
          def get_oauth_user_info(self, provider, response=None):
              if provider == "azure":
                  self.log.debug("Azure response received : {0}".format(response))
                  id_token = response["id_token"]
                  self.log.debug(str(id_token))
                  me = self._azure_jwt_token_parse(id_token)
                  self.log.debug("Parse JWT token : {0}".format(me))
                  parsed_token = {
                      "name": me["name"],
                      "email": me["email"],
                      "first_name": me["given_name"],
                      "last_name": me["family_name"],
                      "id": me["oid"],
                      "username": me["preferred_username"],
                      "upn": me["oid"],
                      "role_keys": me["roles"],       
                  }
                  return parsed_token
              else:
                  return {}

[dpgaspar]

fixed on #2121

[deepakpixel]

@halink0803 For google auth to work:
api_base_url should be https://www.googleapis.com/oauth2/v2/. Notice the www. Otherwise it will return 404 causing the flow to break after token generation.

[AlexMidili]

Hello all, when I tried to fix some problems like this, work solution was delete string with "userinfo_url", and add work url "api_base_url"
Example of work webserverConfig:

AUTH_ROLES_MAPPING = {
"Airflow_Users": ["User"],
"Airflow_Admin": ["Admin"],
}

  # OAuth configuration
  OAUTH_PROVIDERS = [
    {
      "name": "keycloak",
      "token_key": "access_token",
      "icon": "fa-keycloak",
      "remote_app": {
          "client_id": "airflow",
          "client_secret": os.getenv("MY_SECRET),
          "api_base_url": "https://keycloak.URL.org/realms/infrastructure/protocol/",
          "client_kwargs": {"scope": "email profile"},
          "access_token_url": "https://keycloak.URL.org/realms/infrastructure/protocol/openid-connect/token",
          "authorize_url": "https://keycloak.URL.org/realms/infrastructure/protocol/openid-connect/auth",
          "request_token_url": None,
          "redirect_url": "airflow-ingress-controller.airflow.k8s.dev/oauth/callback"
        }
    }
  ]