ContextQMD
Back to Airflow

Google OpenID authentication

providers/google/docs/api-auth-backend/google-openid.rst

3.3.0b13.5 KB
Original Source

.. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

.. http://www.apache.org/licenses/LICENSE-2.0

.. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Google OpenID authentication ''''''''''''''''''''''''''''

.. note:: This authentication mechanism only works for Airflow 2.x

You can also configure Google OpenID <https://developers.google.com/identity/protocols/oauth2/openid-connect>__ for authentication. To enable it, set the following option in the configuration:

.. code-block:: ini

[api]
auth_backends = airflow.providers.google.common.auth_backend.google_openid

It is also highly recommended to configure an OAuth2 audience so that the generated tokens are restricted to use by Airflow only.

.. code-block:: ini

[api]
google_oauth2_audience = project-id-random-value.apps.googleusercontent.com

.. warning:: User identity is matched by email address

This backend authenticates a request by matching the **verified** ``email``
claim of the Google ID token against an existing Airflow user's email. Email
addresses are mutable and can be reassigned between Google identities (for
example when an employee leaves and the address is recycled to a new hire, or
via domain recycling). The immutable ``sub`` (subject) claim is not consulted,
so a Google identity that comes to hold a previously-used address could
authenticate as the Airflow user still mapped to it.

Treat the email-to-user mapping as part of your identity lifecycle:
**deprovision (or re-map) the Airflow user whenever its email is reassigned**,
and do not recycle an address to a different identity while an Airflow account
is still mapped to it. Restricting ``google_oauth2_audience`` to your own
deployment (above) keeps tokens minted for unrelated audiences out of scope.

You can also configure the CLI to send request to a remote API instead of making a query to a local database.

.. code-block:: ini

[cli]
api_client = airflow.api.client.json_client
endpoint_url = http://remote-host.example.org/

You can also set up a service account key. If omitted, authorization based on the Application Default Credentials <https://cloud.google.com/docs/authentication/production#finding_credentials_automatically>__ will be used.

.. code-block:: ini

[cli]
google_key_path = <KEY_PATH>

You can get the authorization token with the gcloud auth print-identity-token command. An example request look like the following.

.. code-block:: bash

  ENDPOINT_URL="http://localhost:8080"

  AUDIENCE="project-id-random-value.apps.googleusercontent.com"
  ID_TOKEN="$(gcloud auth print-identity-token "--audiences=${AUDIENCE}")"

  curl -X GET  \
      "${ENDPOINT_URL}/api/experimental/pools" \
      -H 'Content-Type: application/json' \
      -H 'Cache-Control: no-cache' \
      -H "Authorization: Bearer ${ID_TOKEN}"