(airflow) branch main updated: Do not get `logout_callback_url` from request in keycloak auth manager (#62795)

[vincbeck]

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 7a190025174 Do not get `logout_callback_url` from request in keycloak 
auth manager (#62795)
7a190025174 is described below

commit 7a190025174c32d400403e15b0f311fa4575cab6
Author: Vincent <97131062+vincb...@users.noreply.github.com>
AuthorDate: Tue Mar 3 11:43:27 2026 -0500

    Do not get `logout_callback_url` from request in keycloak auth manager 
(#62795)
---
 .../src/airflow/providers/keycloak/auth_manager/routes/login.py    | 7 ++++---
 .../keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git 
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
 
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
index 304d1683617..941f6d21dd4 100644
--- 
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
+++ 
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
@@ -20,12 +20,12 @@ from __future__ import annotations
 import json
 import logging
 from typing import cast
-from urllib.parse import quote
+from urllib.parse import quote, urljoin
 
 from fastapi import Request  # noqa: TC002
 from fastapi.responses import HTMLResponse, RedirectResponse
 
-from airflow.api_fastapi.app import get_auth_manager
+from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX, 
get_auth_manager
 from airflow.api_fastapi.auth.managers.base_auth_manager import 
COOKIE_NAME_JWT_TOKEN
 from airflow.providers.keycloak.version_compat import AIRFLOW_V_3_1_1_PLUS, 
AIRFLOW_V_3_1_8_PLUS
 
@@ -118,7 +118,8 @@ def logout(request: Request):
     end_session_endpoint = keycloak_config["end_session_endpoint"]
 
     id_token = request.cookies.get(COOKIE_NAME_ID_TOKEN)
-    post_logout_redirect_uri = request.url_for("logout_callback")
+    base_url = conf.get("api", "base_url", fallback="/")
+    post_logout_redirect_uri = urljoin(base_url, 
f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout_callback")
 
     if id_token:
         encoded_id_token = quote(id_token, safe="")
diff --git 
a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py 
b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
index fb1b4a91890..834fee5f0ae 100644
--- a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
+++ b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
@@ -82,10 +82,10 @@ class TestLoginRouter:
     @pytest.mark.parametrize(
         ("id_token", "logout_callback_url"),
         [
-            (None, "http://testserver/auth/logout_callback";),
+            (None, "/auth/logout_callback"),
             (
                 "id_token",
-                
"logout_url?post_logout_redirect_uri=http://testserver/auth/logout_callback&id_token_hint=id_token";,
+                
"logout_url?post_logout_redirect_uri=/auth/logout_callback&id_token_hint=id_token",
             ),
         ],
     )