Skip to content

Logout the user when the token expires#60781

Merged
vincbeck merged 1 commit intoapache:mainfrom
aws-mwaa:vincbeck/keycloak_refresh
Jan 20, 2026
Merged

Logout the user when the token expires#60781
vincbeck merged 1 commit intoapache:mainfrom
aws-mwaa:vincbeck/keycloak_refresh

Conversation

@vincbeck
Copy link
Copy Markdown
Contributor

@vincbeck vincbeck commented Jan 19, 2026
edited
Loading

Resolves #59359

There are 2 scenarios:

  • If the Airflow JWT token is expired, then we should log out the user
  • With Keycloak auth manager, if the refresh token is expired, then we should also log out the user.

In both cases, the user as a invalid token and is should no longer be considered as logged-in.

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@vincbeck vincbeck requested a review from bugraoz93 as a code owner January 19, 2026 14:51
@ashb
Copy link
Copy Markdown
Member

ashb commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch from f60fe20 to d00ba97 Compare January 19, 2026 16:39
@vincbeck
Copy link
Copy Markdown
Contributor Author

vincbeck commented Jan 19, 2026

I think this also covers the "the encryption/signing key has changed" for local development installs, right?

Yep

@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 48a3a80 to ec29c5c Compare January 19, 2026 17:00
@vincbeck vincbeck requested a review from ashb January 19, 2026 17:00
@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch 2 times, most recently from 4cbbcc7 to ef1bb98 Compare January 19, 2026 18:10
@dheerajturaga
Copy link
Copy Markdown
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

@bugraoz93
Copy link
Copy Markdown
Contributor

bugraoz93 commented Jan 19, 2026
edited
Loading

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

It defaults to configuration for both execution and public api have different values. So admins should be able to change according to their security concerns and user behavior
For public api, it is 86400s.

airflow/airflow-core/src/airflow/config_templates/config.yml

Line 1706 in f2f1a08

jwt_expiration_time:

For execution api,

airflow/airflow-core/src/airflow/config_templates/config.yml

Line 1823 in f2f1a08

jwt_expiration_time:

@vincbeck
Copy link
Copy Markdown
Contributor Author

vincbeck commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

bugraoz93
bugraoz93 approved these changes Jan 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bugraoz93 bugraoz93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Vincent!

@dheerajturaga
Copy link
Copy Markdown
Member

dheerajturaga commented Jan 19, 2026

@vincbeck, what's the lifespan of an jwt token today? One concern here is having users to login very frequently

By default it is one day, but it is a config so you can change it. Note that this PR does not change that. Today, after one day your token is no longer valid. The only difference is today you get alerts all over the UI because you no longer have valid credentials. This PR changes that and logs you out

Ah! that's great! This makes sense

@vincbeck vincbeck mentioned this pull request Jan 19, 2026
Closed
2 tasks
@vincbeck vincbeck force-pushed the vincbeck/keycloak_refresh branch from ef1bb98 to e58ab2f Compare January 19, 2026 19:10
@dheerajturaga dheerajturaga self-requested a review January 19, 2026 19:12
@vincbeck vincbeck merged commit 9f0099f into apache:main Jan 20, 2026
128 checks passed
@vincbeck vincbeck deleted the vincbeck/keycloak_refresh branch January 20, 2026 15:22
@vincbeck vincbeck mentioned this pull request Jan 20, 2026
Merged
1 task
vincbeck added a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Jan 21, 2026
@vincbeck
Logout the user when the refresh token is no longer valid (apache#60781)
01653b3
This was referenced Jan 21, 2026
Merged
Merged
vincbeck added a commit that referenced this pull request Jan 21, 2026
@vincbeck
Logout the user when the refresh token is no longer valid (#60781) (#…
a655527 
…60881)
jason810496 pushed a commit to jason810496/airflow that referenced this pull request Jan 22, 2026
@vincbeck @jason810496
Logout the user when the refresh token is no longer valid (apache#60781)
413bc7f
amoghrajesh pushed a commit to astronomer/airflow that referenced this pull request Jan 22, 2026
@vincbeck @amoghrajesh
Logout the user when the refresh token is no longer valid (apache#60781)
0e52603
suii2210 pushed a commit to suii2210/airflow that referenced this pull request Jan 26, 2026
@vincbeck @suii2210
Logout the user when the refresh token is no longer valid (apache#60781)
3043964
@vincbeck vincbeck mentioned this pull request Jan 28, 2026
Closed
85 tasks
shreyas-dev pushed a commit to shreyas-dev/airflow that referenced this pull request Jan 29, 2026
@vincbeck @shreyas-dev
Logout the user when the refresh token is no longer valid (apache#60781)
6a856f8
@ephraimbuddy ephraimbuddy mentioned this pull request Jan 30, 2026
Closed
86 tasks
jhgoebbert pushed a commit to jhgoebbert/airflow_Owen-CH-Leung that referenced this pull request Feb 8, 2026
@vincbeck @jhgoebbert
Logout the user when the refresh token is no longer valid (apache#60781)
6f8c86d
choo121600 pushed a commit to choo121600/airflow that referenced this pull request Feb 22, 2026
@vincbeck @choo121600
Logout the user when the refresh token is no longer valid (apache#60781)
5176110
Subham-KRLX pushed a commit to Subham-KRLX/airflow that referenced this pull request Mar 4, 2026
@vincbeck @Subham-KRLX
Logout the user when the refresh token is no longer valid (apache#60781)
c11d304
Ankurdeewan pushed a commit to Ankurdeewan/airflow that referenced this pull request Mar 15, 2026
@vincbeck @Ankurdeewan
Logout the user when the refresh token is no longer valid (apache#60781)
b0de566
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bugraoz93 bugraoz93 bugraoz93 approved these changes

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@dheerajturaga dheerajturaga dheerajturaga approved these changes

@ashb ashb Awaiting requested review from ashb

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:providers provider:keycloak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Internal Server Error in Airflow API server with Keycloak provider when token is not active

5 participants

@vincbeck @ashb @dheerajturaga @bugraoz93 @pierrejeambrun