Directions for configuring SSO with OAuth are unclear

[bgshacklett]

What do you see as an issue?

The page: https://airflow.apache.org/docs/apache-airflow-providers-fab/3.0.3/auth-manager/webserver-authentication.html contains these two statements:

One noting that the webserver_config.py file is no-longer used:

The legacy webserver_config.py file referenced in older docs is no longer used in recent versions of Airflow. Authentication is handled via the new auth_manager framework configured in airflow.cfg.

Another, suggesting that it will be automatically generated with what seems to be an incompatible setting for SSO deployments:

A webserver_config.py file is automatically generated and can be used to configure FAB auth manager to support OAuth, OpenID, LDAP…
Default: AUTH_TYPE = AUTH_DB

(note: this does not appear to be true in our case. No webserver_config.py is visible within the running container)

In the SSO guide (https://airflow.apache.org/docs/apache-airflow-providers-fab/3.0.3/auth-manager/sso.html)

• There is no mention of webserver_config.py
• It suggests SSO should work via AIRFLOW__FAB__OAUTH_PROVIDERS, AIRFLOW__CORE__AUTH_MANAGER, etc.
• There is no indication that AUTH_TYPE = AUTH_OAUTH must be set in Python config for OAuth to activate

This all tracks with the original statement that the webserver_config.py file is no-longer used. However, in Airflow 3.0.x:

• FAB does not appear to activate OAuth withe the suggested configuration in place.
• I am unable to find any airflow.cfg equivalent of the AUTH_TYPE setting, which would need to be modified if, indeed, a default webserver_config.py is generated with AUTH_TYPE=AUTH_DB.
• Our current deployment, which is relying on the environment variable equivalents of airflow.cfg does not appear to be activating OAuth at all.

Solving the problem

• Clarify whether FAB still requires webserver_config.py for SSO mode selection (AUTH_TYPE, AUTH_* variables)
• Update SSO guide to indicate where these settings must live
• Reconcile statement that "webserver_config.py is no longer used" with the fact that OAuth/LDAP examples still appear to rely on it
• If the long-term intent is to move these settings into airflow.cfg, document current limitations and future direction

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[potiuk]

Yes, it would be great if someone who actually wants and uses it, figures out best way of documenting it and contribute it back, ideally a user who knows and undestands how to do it. Marked it as a "good first issue" and hopefully we will get a good contribution about it.

[bgshacklett]

I will note that I didn't check the box, because I don't believe I know the project well enough to document the correct configuration at this time. If, however, we get this working in a repeatable manner, I'm happy to contribute back to the project as well as I can.

[aditya0yadav]

@potiuk I would be happy to do it

[potiuk]

Feel free.

[bgshacklett]

I took a stab at rewording the section of the docs which I feel caused us the most confusion. We've got a working configuration. I'll take a look at the differences between the current How To article and what worked for us.

Please feel free to ignore my suggestions if you disagree or prefer different wording. :-)