Airflow Summit 2026 is coming August 31 - September 2 in Austin, TX. Register now to secure your spot!

Keycloak auth manager

Warning

The Keycloak auth manager is alpha/experimental at the moment and may be subject to change without warning.

The Keycloak auth manager is an authentication and authorization manager that uses Keycloak as the identity provider. It enables you to manage users, roles, groups, and permissions entirely within Keycloak.

Getting started

Manage the environment

Generate a JWT token to use Airflow public API

Setup client Access/Login Settings

Note on Multi Team Clients When using the Keycloak auth manager with a multi-team deployment, you will need to keep the keycloak client up to date by creating the required policies and resources for each new team that is added.

If a team has dags added to Airflow but they are not setup in the keycloak client, keycloak will return a 400 error on the /dags screen: {"error":"invalid_resource", "error_description": "Resource with id [Dag:team-a] does not exist."} The keycloak auth manager will handle this error by registering it as a ‘deny’ response to preserve access to the /dags screen for other teams.

Was this entry helpful?