Logout airflow on Web UI does not work using OAuth2

[CaptainJ93]

Apache Airflow version: 2.0.0

Kubernetes version (if you are using kubernetes) (use kubectl version): Client Version: Major:"1", Minor:"19", GitVersion:"v1.19.0",Server Version: Major:"1", Minor:"19",

Environment:

• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release): Debian GNU/Linux 10 (buster)
• Kernel (e.g. uname -a): Linux airflow-webserver-7bdf6db4f8-k9hkp 3.10.0-1127.10.1.el7.x86_64 Improving the search functionality in the graph view #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 GNU/Linux
• Install tools: ansible
• Others:

What happened:

We are trying to implement OAuth2 on airflow using Keycloak. We have already set up Keycloak and configured airflow, now the login is success. But when clicking logout on airflow, the session still exists in Keycloak. Go to /pipelines page again, user logs in.

What you expected to happen:

If user logout airflow, when he try to access pipelines again should redirect to login page. Session should be invalid in Keycloak and user need to re-enter username&password.
Maybe airflow should send a http request to Keycloak server to disable the session.

How to reproduce it:

1. set airflow to OAuth
2. login user
3. click logout
4. go to pipelines page again, user is still logged in

Anything else we need to know:
When click logout, we checked Kecloak session, the session is still active.
If we disable it manually, the user will need to log in again, which is correct.
My guess is airflow need to send this request:
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
when user click logout.

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[jedcunningham]

This should probably be an issue over at https://github.com/dpgaspar/Flask-AppBuilder instead.

[kaojunsong]

dpgaspar/Flask-AppBuilder#1160 could probably solve this issue.

[blag]

Since dpgaspar/Flask-AppBuilder#1160 was closed by the stalebot and ignored after that, I opened PR dpgaspar/Flask-AppBuilder#1749 with the same changes. Hopefully that gets merged.

[blag]

Now that dpgaspar/Flask-AppBuilder#1749 is merged, this is one step closer to being fixed.

TODO as of now:

• Wait for a new release of FAB that includes that fix - 3.4.1 on Dec 13th, 2021
• Update Airflow constraints files
• Check if this bug is fixed in Airflow

[potiuk]

Constraints should update itself - now when our tests are far less flaky, thiis works out-of-the-box.

[potiuk]

Flask App builder constraints are updated already - both main and 2.2 branch. So we could fix it in main and cherry-pick to 2.2.4

[potiuk]

cc: @kaxil

[jedcunningham]

I just tested this and FAB does respect LOGOUT_REDIRECT_URL when logging out via the Airflow UI.