Keycloak auth manager¶
Warning
The Keycloak auth manager is alpha/experimental at the moment and may be subject to change without warning.
The Keycloak auth manager is an authentication and authorization manager that uses Keycloak as the identity provider. It enables you to manage users, roles, groups, and permissions entirely within Keycloak.
Getting started
Manage the environment
Generate a JWT token to use Airflow public API
Setup client Access/Login Settings
Note on Multi Team Clients When using the Keycloak auth manager with a multi-team deployment, you will need to keep the keycloak client up to date by creating the required policies and resources for each new team that is added.
If a team has dags added to Airflow but they are not setup in the keycloak client, keycloak will return a 400 error on the /dags screen:
{"error":"invalid_resource", "error_description": "Resource with id [Dag:team-a] does not exist."}
The keycloak auth manager will handle this error by registering it as a ‘deny’ response to preserve access to the /dags screen for other teams.