JWT Token Generation Fails for LDAP Users in Airflow 3.0 with FAB Auth Manager

[1412557]

Apache Airflow Provider(s)

fab

Versions of Apache Airflow Providers

apache-airflow-providers-fab==2.2.0

Apache Airflow version

3.0.2

Operating System

OS: RHEL UBI9, python3.12, Auth Manager: FAB; Authentication Backend: LDAP

Deployment

Other Docker-based deployment

Deployment details

CloudFormation and AWS ECS

What happened

We were using Airflow 2.9.2 with LDAP authentication. Other services use LDAP credentials to authenticate and call Airflow API to trigger DAG.
Now we want to upgrade to Airflow 3.0.x with FAB auth manager and LDAP authentication, the JWT token generation endpoint /auth/token fails to authenticate LDAP users, even though these users can successfully log in through the web UI (token can be found in local storage).

Local Airflow users can generate JWT token successfully but we do not prefer using static credentials

What you think should happen instead

LDAP users should be able to generate JWT tokens via the /auth/token endpoint for programmatic access to Airflow APIs

How to reproduce

1. Configure Airflow 3.0 with FAB auth manager and LDAP authentication
   [Environment] AIRFLOW__CORE__AUTH_MANAGER=airflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager AIRFLOW__FAB__AUTH_BACKENDS=airflow.providers.fab.auth_manager.api.auth.backend.session, airflow.providers.fab.auth_manager.api.auth.backend.basic_auth AIRFLOW__DATABASE__EXTERNAL_DB_MANAGERS=airflow.providers.fab.auth_manager.models.db.FABDBManager
2. Create an LDAP user and verify webUI login works
3. Attempt to generate JWT token via API /auth/token as describe here
4. Error 401 Unauthorized

Anything else

If the bug is legit, will it be fixed soon? can you provide some estimation?

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[eladkal]

cc @vincbeck

[vincbeck]

Correct, this is a known issue. Currently only users stored in DB can use the JWT token generation endpoint. The reason why I did not implement it is I found difficult (or lack of time during the Airflow 3 rush) to setup a LDAP server in order to test the implementation. But looking at the code, I am pretty sure this is relatively easy, I'll create a fix and potentially ask you (or someone else?) to test it?

[1412557]

Thanks @vincbeck for your confirmation

[1412557]

And yes I can test it for you, we really need the fix.

[joel-perez-1991]

thanks @vincbeck I can test it too as soon as it is available, the exact same issue here

[vincbeck]

I created #52295 which should fix the issue. Can you guys please try and test it?

[potiuk]

Nice - > the change looks cool, would be indeed great to get confirmation :)