Skip to content

Fix Keycloak provider redirect_uri to use HTTPS behind reverse proxy #61095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vincbeck merged 4 commits into from
Jan 27, 2026
Merged

Fix Keycloak provider redirect_uri to use HTTPS behind reverse proxy #61095

vincbeck merged 4 commits into from
Jan 27, 2026

Conversation

@arjav1528
Copy link
Contributor

@arjav1528 arjav1528 commented Jan 26, 2026
edited
Loading

Fixes #60922

The Keycloak authentication provider generates HTTP redirect URLs even when
running behind an HTTPS reverse proxy. This occurs because the login route
uses request.url_for() to generate the callback URL, which doesn't respect
proxy headers like X-Forwarded-Proto by default.

This fix configures Airflow to respect proxy headers by adding support for:

  1. Uvicorn's --proxy-headers flag with FORWARDED_ALLOW_IPS environment variable
  2. Alternative ProxyFix middleware configuration

Both approaches enable the Keycloak provider to correctly generate HTTPS
redirect URLs when deployed behind nginx ingress or other reverse proxies.

Testing:

  • Verified redirect_uri uses HTTPS when proxy headers are configured
  • Confirmed backward compatibility with existing deployments

@eladkal eladkal requested a review from vincbeck January 26, 2026 21:26
@vincbeck vincbeck merged commit 0708036 into apache:main Jan 27, 2026
95 checks passed
shreyas-dev pushed a commit to shreyas-dev/airflow that referenced this pull request Jan 29, 2026
@arjav1528 @shreyas-dev
Fix Keycloak provider redirect_uri to use HTTPS behind reverse proxy (a…
e35cff3 
…pache#61095)

* docs: Enhance Airflow API server configuration in values.yaml

* docs: Update Airflow API server args description to include reverse proxy support and provide usage example

* docs: Update API server env vars description to include reverse proxy configuration and provide example usage

* docs: Add Helm chart configuration details for running Airflow behind a reverse proxy
@jedcunningham jedcunningham mentioned this pull request Jan 30, 2026
Open
96 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck approved these changes

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

Assignees

No one assigned

Labels

area:helm-chart Airflow Helm Chart kind:documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Airflow Keycloak provider redirect to HTTP instead of HTTPS

2 participants

@arjav1528 @vincbeck