Error returning OAuth user info: missing_token

[jaimegm]

I'm implementing google oauth with Airflow 2.2.1. The oauth creds are managed through flask-appbuilder. I expect to be able to sign in to Airflow using Google Oauth and be redirected to airflow home page

Environment

Flask-Appbuilder version: 3.4.5
Airflow Version: 2.2.1

pip freeze output:

adal==1.2.7
aiofiles==0.6.0
aiohttp==3.8.1
aiosignal==1.2.0
alembic==1.7.7
amqp==5.0.6
anyio==3.5.0
apache-airflow==2.2.1
apache-airflow-providers-amazon==2.3.0
apache-airflow-providers-celery==2.1.0
apache-airflow-providers-cncf-kubernetes==1.2.0
apache-airflow-providers-docker==2.2.0
apache-airflow-providers-elasticsearch==2.0.3
apache-airflow-providers-ftp==2.1.0
apache-airflow-providers-google==2.2.0
apache-airflow-providers-grpc==2.0.1
apache-airflow-providers-hashicorp==2.1.1
apache-airflow-providers-http==2.1.0
apache-airflow-providers-imap==2.2.1
apache-airflow-providers-microsoft-azure==3.2.0
apache-airflow-providers-mysql==1.1.0
apache-airflow-providers-odbc==2.0.1
apache-airflow-providers-postgres==1.0.2
apache-airflow-providers-redis==2.0.1
apache-airflow-providers-sendgrid==2.0.1
apache-airflow-providers-sftp==2.1.1
apache-airflow-providers-slack==4.1.0
apache-airflow-providers-sqlite==2.1.1
apache-airflow-providers-ssh==1.3.0
apispec==3.3.2
argcomplete==1.12.3
async-timeout==4.0.2
attrs==20.3.0
Authlib==1.0.0
azure-batch==11.0.0
azure-common==1.1.27
azure-core==1.19.0
azure-cosmos==3.2.0
azure-datalake-store==0.0.52
azure-identity==1.6.1
azure-keyvault==4.1.0
azure-keyvault-certificates==4.3.0
azure-keyvault-keys==4.4.0
azure-keyvault-secrets==4.3.0
azure-kusto-data==0.0.45
azure-mgmt-containerinstance==1.5.0
azure-mgmt-core==1.3.0
azure-mgmt-datafactory==1.1.0
azure-mgmt-datalake-nspkg==3.0.1
azure-mgmt-datalake-store==0.5.0
azure-mgmt-nspkg==3.0.2
azure-mgmt-resource==20.0.0
azure-nspkg==3.0.2
azure-storage-blob==12.8.1
azure-storage-common==2.1.0
azure-storage-file==2.1.0
Babel==2.9.1
backports.entry-points-selectable==1.1.0
bcrypt==3.2.0
beautifulsoup4==4.10.0
billiard==3.6.4.0
blinker==1.4
boto3==1.18.58
botocore==1.21.58
cached-property==1.5.2
cachetools==4.2.4
cattrs==1.6.0
celery==5.1.2
certifi==2021.10.8
cffi==1.15.0
charset-normalizer==2.0.12
click==7.1.2
click-didyoumean==0.3.0
click-plugins==1.1.1
click-repl==0.2.0
clickclick==20.10.2
cloudpickle==1.4.1
colorama==0.4.4
colorlog==5.0.1
commonmark==0.9.1
croniter==1.0.15
cryptography==3.4.8
dask==2021.6.0
decorator==5.1.0
defusedxml==0.7.1
Deprecated==1.2.13
dill==0.3.4
distlib==0.3.3
distributed==2.19.0
dnspython==2.2.1
docker==5.0.3
docutils==0.16
elasticsearch==7.13.4
elasticsearch-dbapi==0.2.6
elasticsearch-dsl==7.4.0
email-validator==1.1.3
et-xmlfile==1.1.0
eventlet==0.32.0
filelock==3.3.0
Flask==1.1.4
Flask-Admin==1.6.0
Flask-AppBuilder==3.4.5
Flask-Babel==2.0.0
Flask-Caching==1.10.1
Flask-JWT-Extended==3.25.1
Flask-Login==0.4.1
Flask-OpenID==1.3.0
Flask-SQLAlchemy==2.5.1
Flask-WTF==0.14.3
flower==1.0.0
frozenlist==1.3.0
fsspec==2021.10.0
gevent==21.8.0
google==2.0.3
google-ads==7.0.0
google-api-core==1.27.0
google-api-python-client==1.12.1
google-auth==1.21.2
google-auth-httplib2==0.1.0
google-auth-oauthlib==0.4.6
google-cloud-appengine-logging==1.1.0
google-cloud-audit-log==0.2.0
google-cloud-automl==2.5.1
google-cloud-bigquery==1.28.0
google-cloud-bigquery-datatransfer==3.4.0
google-cloud-bigquery-storage==1.1.0
google-cloud-bigtable==1.7.0
google-cloud-build==3.5.2
google-cloud-container==1.0.1
google-cloud-core==1.4.1
google-cloud-datacatalog==3.5.0
google-cloud-dataproc==2.6.0
google-cloud-dlp==1.0.0
google-cloud-kms==2.10.0
google-cloud-language==1.3.0
google-cloud-logging==2.7.0
google-cloud-memcache==1.2.0
google-cloud-monitoring==2.6.0
google-cloud-os-login==2.5.0
google-cloud-pubsub==2.8.0
google-cloud-redis==2.4.0
google-cloud-secret-manager==1.0.0
google-cloud-spanner==1.19.1
google-cloud-speech==1.3.2
google-cloud-storage==1.40.0
google-cloud-tasks==2.7.0
google-cloud-texttospeech==1.0.1
google-cloud-translate==1.7.0
google-cloud-videointelligence==1.16.1
google-cloud-vision==1.0.0
google-cloud-workflows==1.4.0
google-crc32c==1.3.0
google-resumable-media==1.3.3
googleapis-common-protos==1.55.0
graphviz==0.19.1
greenlet==1.1.2
grpc-google-iam-v1==0.12.3
grpcio==1.44.0
grpcio-gcp==0.2.2
gunicorn==20.1.0
h11==0.12.0
HeapDict==1.0.1
httpcore==0.14.7
httplib2==0.20.4
httpx==0.22.0
humanize==3.12.0
hvac==0.11.2
idna==3.3
importlib-metadata==4.11.3
importlib-resources==5.4.0
inflection==0.5.1
iso8601==1.0.2
isodate==0.6.1
itsdangerous==1.1.0
Jinja2==2.11.3
jira==2.0.0
jmespath==0.10.0
json-merge-patch==0.2
jsonpath-ng==1.5.3
jsonschema==3.2.0
kombu==5.1.0
kubernetes==11.0.0
lazy-object-proxy==1.7.1
ldap3==2.9.1
libcst==0.4.1
locket==0.2.1
lockfile==0.12.2
lxml==4.8.0
Mako==1.2.0
Markdown==3.3.6
MarkupSafe==1.1.1
marshmallow==3.15.0
marshmallow-enum==1.5.1
marshmallow-oneofschema==3.0.1
marshmallow-sqlalchemy==0.26.1
msal==1.15.0
msal-extensions==0.3.0
msgpack==1.0.2
msrest==0.6.21
msrestazure==0.6.4
multidict==6.0.2
mypy-extensions==0.4.3
mysql-connector-python==8.0.22
mysqlclient==2.1.0
nest-asyncio==1.5.4
nox==2020.12.31
numpy==1.22.3
oauth2client==4.1.3
oauthlib==3.1.0
openapi-schema-validator==0.2.3
openapi-spec-validator==0.4.0
openpyxl==3.0.9
opentelemetry-api==1.10.0
packaging==21.3
pandas==1.3.5
pandas-gbq==0.13.2
parameterized==0.8.1
paramiko==2.10.2
partd==1.2.0
pbr==5.8.1
pendulum==2.1.2
platformdirs==2.5.1
ply==3.11
plyvel==1.4.0
portalocker==1.7.1
prison==0.2.1
prometheus-client==0.11.0
prompt-toolkit==3.0.20
proto-plus==1.20.3
protobuf==3.19.4
psutil==5.9.0
psycopg2-binary==2.9.3
py==1.10.0
pyarrow==4.0.1
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.21
pydata-google-auth==1.2.0
Pygments==2.11.2
PyJWT==1.7.1
PyNaCl==1.5.0
pyodbc==4.0.32
pyOpenSSL==21.0.0
pyparsing==3.0.7
pyrsistent==0.18.1
pysftp==0.2.9
python-daemon==2.3.0
python-dateutil==2.8.2
python-http-client==3.3.3
python-ldap==3.3.1
python-nvd3==0.15.0
python-slugify==4.0.1
python3-openid==3.2.0
pytz==2021.3
pytzdata==2020.1
PyYAML==5.4.1
redis==3.5.3
requests==2.27.1
requests-file==1.5.1
requests-oauthlib==1.3.1
requests-toolbelt==0.9.1
responses==0.12.1
rfc3986==1.5.0
rich==12.0.0
rsa==4.8
s3transfer==0.5.0
sendgrid==6.8.2
setproctitle==1.2.2
simple-salesforce==1.11.6
six==1.16.0
slack-sdk==3.11.2
sniffio==1.2.0
sortedcontainers==2.4.0
soupsieve==2.3.1
SQLAlchemy==1.3.18
SQLAlchemy-JSONField==1.0.0
SQLAlchemy-Utils==0.38.2
sqlvalidator==0.0.16
sshtunnel==0.1.5
starkbank-ecdsa==2.0.0
statsd==3.3.0
swagger-ui-bundle==0.0.9
tabulate==0.8.9
tblib==1.7.0
tenacity==8.0.1
termcolor==1.1.0
text-unidecode==1.3
toolz==0.11.1
tornado==6.1
typing-inspect==0.7.1
typing_extensions==4.1.1
unicodecsv==0.14.1
uritemplate==3.0.1
urllib3==1.26.9
vine==5.0.0
virtualenv==20.8.1
watchtower==1.0.6
wcwidth==0.2.5
websocket-client==1.3.1
Werkzeug==1.0.1
wrapt==1.14.0
WTForms==2.3.3
yarl==1.7.2
zeep==4.1.0
zict==2.0.0
zipp==3.7.0
zope.event==4.5.0
zope.interface==5.4.0

Describe the expected results

Google OAuth should be able to authenticate and redirect to the Airflow home page

import os
from airflow.www.fab_security.manager import  AUTH_OAUTH

basedir = os.path.abspath(os.path.dirname(__file__))

WTF_CSRF_ENABLED = True
AUTH_TYPE = AUTH_OAUTH
# Will allow user self registration
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_ROLES_SYNC_AT_LOGIN = True
OAUTH_PROVIDERS = [
    {
        "name": "google",
        "token_key": "access_token",
        "icon": "fa-google",
        "whitelist": ["mycompany.com"],
        "remote_app": {
            "api_base_url": "https://www.googleapis.com/oauth2/v2/",
            "client_kwargs": {"scope": "email profile"},
            "access_token_url": "https://accounts.google.com/o/oauth2/token",
            "authorize_url": "https://accounts.google.com/o/oauth2/auth",
            "request_token_url": None,
            "client_id": os.environ.get("AIRFLOW__GOOGLE__CLIENT_ID"),
            "client_secret": os.environ.get("AIRFLOW__GOOGLE__CLIENT_SECRET"),
        },
    }
]

I followed this documentation. My google oauth/airflow settings are below.

webserver:
    enable_proxy_fix: 'True'
    auth_backend: airflow.contrib.auth.backends.google_auth
    authenticate: 'True'
    # For Airflow 1.10
    rbac: 'True'
    default_wrap: 'True'
  google:
    oauth_callback_route: '/oauth2callback'
    domain: company.com
    prompt: 'consent'

Describe the actual results

The Oauth provider page is present but I cant login. When I click login I get an error message saying Invalid login. Please try again. I have made sure that my previous login was deleted to allow for google oauth. I started investigating the http logs. Pasted below. I removed system log and timestamps from the logs to reduce noise.

"GET /login/ HTTP/1.1" 200 16325 "https://custom-url.mycompany.com/" 
"GET /login/google?next= HTTP/1.1" 302 963 "https://custom-url.mycompany.com/login/" 
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
"GET /oauth-authorized/google?state=xxxxxxxxxx&code=xxxxxxxxxxxx&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=infarm.com&prompt=none HTTP/1.1" 302 221 "https://custom-url.mycompany.com/" 
"GET /login/ HTTP/1.1" 200 16325 "https://custom-url.mycompany.com/" 
"GET /login/google?next= HTTP/1.1" 302 963 "https://custom-url.mycompany.com/login/"
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
{views.py:671} ERROR - Error returning OAuth user info: missing_token:
34.117.72.15 - - [21/Mar/2022:11:48:32 +0000] "GET /oauth-authorized/google?state=xxxxxxxxxxxxx&code=xxxxxxxxxx&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&hd=infarm.com&prompt=none HTTP/1.1" 302 221 "https://custom-url.mycompany.com/" 

Notes

I removed my state and code values with x. I also changed my actual URL with https://custom-url.mycompany.com/. I am surprised to see prompt=none and authuser=0 because prompt should be consent and I would expect some kind of reference to my account in authuser.

I have another workflow I use to generate oauth tokens from google. I was able to generate my auth token there and was given a warning message pasted below, maybe this helps. I would be happy to submit a PR if I could debug and confirm it's working. I tried changing the scope in the OAUTH provider config as well, no success. When I changed the scope I had to define "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs" in OAUTH_PROVIDERS["remote_app"]

Warning: Scope has changed from "email profile" to "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"

[ltrogers98]

Authlib also had a version update. Hardcode authlib in requirements to 0.15.5 and it fixed it for me.

[jaimegm]

@ltrogers98 could you provide a pip freeze? I still get a "You are not Authorized" it must be a conflicting package or a internal Airflow Setting

Update: Nevermind I had to update the whitelits from my example. It's working now. Thank you! I will inform Airflow Repo as well

[potiuk]

Authlib 1.0.1 released today fixed the issue. I recommend to upgrade it.

[dpgaspar]

the authlib bump (now is <2) is merge into master.