Apache Airflow - Adding Google Authentication

Question

I am trying to add multi-tenancy and Google authentication in Airflow 1.9.0. I have added these lines in airflow.cfg

[webserver]
authenticate = True
filter_by_owner = True
auth_backend = airflow.contrib.auth.backends.google_auth

[google]
client_id = google_client_id 
client_secret = google_client_secret
oauth_callback_route = /oauth2callback
domain = xyz.com

But I am getting Error: redirect_uri_mismatch when I try to open airflow homepage.

Request Details
response_type=code
client_id=google_client_id
redirect_uri=**http://my-staging.io:8099/oauth2callback?next=%2Fadmin%2F**
scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email

Why is ?next=%2Fadmin%2F getting appended to the redirect uri?

Answer 1

%2Fadmin%2F is the percent encoding for /admin/ which is the base url for the webserver dashboard, it looks like airflow is adding a next=value param to the query string to redirect the user back to the page they were on prior to needing to authenticate.

However it looks like there is a bug with Airflow that was only fixed in March related to this. https://github.com/apache/incubator-airflow/commit/eeca38396015589f7dddd67f8836d5d8aa7ac010#diff-f3c3b9b4eb464414c0781a1137172ec1

The query string is part of the URL, and each variation would need to be whitelisted. Any time you attempt to authenticate google will only allow redirecting back to whitelisted url's. However the state param in a query string is ignored in this check. Your version is still using the next param.

You can whitelist http://my-staging.io:8099/oauth2callback?next=%2Fadmin%2F in your OAuth credentials in GCP and assume/expect all users authenticating will start from /admin/, update your version of airflow to one with the above commit, or merge this commit into the version you are using.