From 2145c2d88e28582241f5a8261f934bd66339b4a6 Mon Sep 17 00:00:00 2001 From: vincbeck Date: Tue, 3 Mar 2026 10:57:29 -0500 Subject: [PATCH] Do not get `logout_callback_url` from request in keycloak auth manager --- .../providers/keycloak/auth_manager/routes/login.py | 7 ++++--- .../tests/unit/keycloak/auth_manager/routes/test_login.py | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py index 54c9400212070..d12154f63b978 100644 --- a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py +++ b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py @@ -20,12 +20,12 @@ import json import logging from typing import cast -from urllib.parse import quote +from urllib.parse import quote, urljoin from fastapi import Request # noqa: TC002 from fastapi.responses import HTMLResponse, RedirectResponse -from airflow.api_fastapi.app import get_auth_manager +from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX, get_auth_manager from airflow.api_fastapi.auth.managers.base_auth_manager import COOKIE_NAME_JWT_TOKEN from airflow.providers.keycloak.version_compat import AIRFLOW_V_3_1_1_PLUS @@ -110,7 +110,8 @@ def logout(request: Request): end_session_endpoint = keycloak_config["end_session_endpoint"] id_token = request.cookies.get(COOKIE_NAME_ID_TOKEN) - post_logout_redirect_uri = request.url_for("logout_callback") + base_url = conf.get("api", "base_url", fallback="/") + post_logout_redirect_uri = urljoin(base_url, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout_callback") if id_token: encoded_id_token = quote(id_token, safe="") diff --git a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py index fb1b4a9189088..834fee5f0ae5b 100644 --- a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py +++ b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py @@ -82,10 +82,10 @@ def test_login_callback_without_code(self, client): @pytest.mark.parametrize( ("id_token", "logout_callback_url"), [ - (None, "http://testserver/auth/logout_callback"), + (None, "/auth/logout_callback"), ( "id_token", - "logout_url?post_logout_redirect_uri=http://testserver/auth/logout_callback&id_token_hint=id_token", + "logout_url?post_logout_redirect_uri=/auth/logout_callback&id_token_hint=id_token", ), ], )