Enable both backend api auth [basic_auth, session]

[jjyun-do]

When i activate the backend auth,
REST API call works well, but session does not work. (returns The CSRF session token is missing.)

and when i activate the session,
Rest API not works, but webserver (session) works well.

How can I activate both auth method?

I saw this, but I don't know how to.

[jjyun-do]

version - 2.6.2

[potiuk]

Look at the warnings you have in logs (inevitably). They provide information, you can put two backends in your config, separated by comma.

[potiuk]

Comma separated list of auth backends to authenticate users of the API. See https://airflow.apache.org/docs/apache-airflow/stable/security/api.html for possible values. (“airflow.api.auth.backend.default” allows all requests for historic reasons)

[jjyun-do]

auth_backends = airflow.api.auth.backend.basic_auth,airflow.api.auth.backend.session

Yes, actually I tried this configuration, but

1. basic auth: works
2. webserver: Csrf error occurs
   .

So I thought activate both at once is not available.

[jjyun-do]

@potiuk

1. Basic Auth: works
curl --location 'http://addr:8080/api/v1/config'
--header 'Accept: application/json'
--header 'Authorization: Basic REDACTED'

{
"detail": "Your Airflow administrator chose not to expose the configuration, most likely for security reasons.",
"status": 403,
"title": "Forbidden",
"type": "https://airflow.apache.org/docs/apache-airflow/2.6.2/stable-rest-api-ref.html#section/Errors/PermissionDenied"
}

2. Session: not works

When I enter portal and login with same credential with basic auth,
it returns 400 BAD Request, with 'The CSRF session token is missing.'

[potiuk]

Nope. You have something wrong. Can't reproduce it.

You likely issue your requests in some strange way or something strips out the tokens - or you have not restarted webserver or smth like that. You need to dig deeper. I am not sure how you are generating your requests, maybe you have forgotten to restart webserver after applying the configuration or maybe your configuration is somewhat wrong.

This works for me without problems:

(and I know it works because I use it to test 'python api client` this way every time we release it and it has always been working

[potiuk]

It also works for me when I reverse the order. So you need to look at your environment.

[jjyun-do]

@potiuk Could you please share your airflow.cfg for me?
I want to compare with mine. it would be very helpful.

Did you use secure cookie ? or database for the session?

[jjyun-do]

sorry, our docker image was wrong.

when I re-install the airflow in another ec2 instance, it works well.
I can debug it my self.

Thank you for your support XDXD