Generate JWT token with Keycloak auth manager¶

Note

This guide only applies if your environment is configured with Keycloak auth manager.

In order to use the Airflow public API, you need a JWT token for authentication. You can then include this token in your Airflow public API requests. To generate a JWT token, use the Create Token API in Keycloak auth manager token API.

Several endpoints exist to create tokens depending on the authentication method you want to use.

If a user or service needs to interact with the Airflow public API, they can create a token using their credentials.

/auth/token: Create token using username and password or client credentials with a [config][api_auth]jwt_expiration_time expiration time.
/auth/token/cli: Create token for Airflow CLI using username and password with a [config][api_auth]jwt_cli_expiration_time expiration time.

Example¶

ENDPOINT_URL="http://localhost:8080"
curl -X 'POST' \
    "${ENDPOINT_URL}/auth/token" \
    -H 'Content-Type: application/json' \
    -d '{
    "username": "<username>",
    "password": "<password>"
    }'

This process will return a token that you can use in the Airflow public API requests. The body can also contain a grant_type field with value password but it is optional since it is the default value.

ENDPOINT_URL="http://localhost:8080 "
curl -X 'POST' \
    "${ENDPOINT_URL}/auth/token" \
    -H 'Content-Type: application/json' \
    -d '{
    "grant_type": "client_credentials",
    "client_id": "<client_id>",
    "client_secret": "<client_secret>"
    }'

If other services need to interact with the Airflow public API, they can create a token using the client credentials grant flow. The client must live in the same realm the Auth Manager is configured to use. Its service account must have the appropriate roles / permissions to access the Airflow public API. This process will return a token obtained using client credentials grant flow.