Re: [DISCUSS] Auth backends

2025-03-05 Thread Pierre Jeambrun
I think this is a great way to move forward considering airflow 3 deadline. Also given that this is already implemented and merged in main I’m not sure if an AIP makes sense at this point, I’ll let others weigh in on this. On Tue 4 Mar 2025 at 23:05, Vincent Beck wrote: > Option 1 seems to be th

Re: [DISCUSS] Auth backends

2025-03-04 Thread Vincent Beck
Option 1 seems to be the winning choice. (If you disagree, there is still time to bring it up.) Regarding the need for more details on the implementation and flow for creating and using the JWT token, what should be the next step? Jarek, you suggested creating an AIP, and I agree that this woul

Re: [DISCUSS] Auth backends

2025-03-03 Thread Vincent Beck
Yes, 100%. On 2025/03/03 17:33:55 Ash Berlin-Taylor wrote: > So is the auth manager involved in interpreting the JWT token in to something > more meaningful in order to make permission decisions etc then? > > > On 3 Mar 2025, at 16:38, Vincent Beck wrote: > > > > JWT token created by FAB auth

Re: [DISCUSS] Auth backends

2025-03-03 Thread Ash Berlin-Taylor
So is the auth manager involved in interpreting the JWT token in to something more meaningful in order to make permission decisions etc then? > On 3 Mar 2025, at 16:38, Vincent Beck wrote: > > JWT token created by FAB auth manager: > ``` > { > "id": "12345789" > } > ``` > > JWT token cre

Re: [DISCUSS] Auth backends

2025-03-03 Thread Vincent Beck
Hi Ash, Sure, let me try to give more details. > Can you give a concrete example of the request flow between browser/CLI, the > API server and any backends? Assuming FAB auth manager is configured in the environement. Here is the API call to create a JWT token: ``` curl -X 'POST' \ 'http://

Re: [DISCUSS] Auth backends

2025-03-03 Thread Jarek Potiuk
Yeah - for sure we need some details, the direction seems sound (and is indeed pretty standard - https://auth0.com/docs/secure/tokens/token-best-practices for example describes a number of ways API security is handled with JWT. Possibly - again - we should look at some ready to use solution in fast

Re: [DISCUSS] Auth backends

2025-03-03 Thread Ash Berlin-Taylor
Hi Vincent, Can you elaborate more on Option 1? Can you give a concrete example of the request flow between browser/CLI, the API server and any backends? How often is this API to generate a JWT called? What is the request flow of user credentials? What validation/verification is don eon the r

Re: [DISCUSS] Auth backends

2025-03-01 Thread Buğra Öztürk
Thanks for starting this discussion, Vincent! I'm in favour of Option 1 as well. While I acknowledge the drawbacks, I believe they can be mitigated over time by allowing more flexibility in authentication managers, similar to what FAB is trying to achieve. If I recall correctly, there were discuss

Re: [DISCUSS] Auth backends

2025-03-01 Thread Abhishek Bhakat
+1 to option 1 as well. - Avi On Fri, Feb 28, 2025 at 6:32 PM Jarek Potiuk wrote: > I very much like Option 1 only > > Especially if we can generate a python client that can easily "hide" the > necessary auth workflow and extend it by different mechanisms easily. I > think the fact that the JWT

Re: [DISCUSS] Auth backends

2025-02-28 Thread Jarek Potiuk
I very much like Option 1 only Especially if we can generate a python client that can easily "hide" the necessary auth workflow and extend it by different mechanisms easily. I think the fact that the JWT token is used should be very well hidden - and you should be able to have some pluginable way