stephen-bracken opened a new issue, #65089: URL: https://github.com/apache/airflow/issues/65089
### Description The airflow auth manager is responsible for both authentication and authorization of the user. By splitting the authentication component out into a separate module, authorization could be done by a separate provider, e.g. using fab to provide authentication via OIDC and then using keycloak to provide authorization ### Use case/motivation The casbin authorization library is a powerful policy engine, but does not support authentication. It expects users to already have their identity authenticated, and then provides those users with roles based on the policy. A good fit for the airflow security model would be the [RBAC with domains](https://casbin.apache.org/docs/rbac-with-domains) model. However Casbin alone would not provide enough functionality to create an auth manager, so another library would be required to perform authorization. Therefore if a 'casbin' provider were to be created, it would not actually be using casbin for the authentication, but rather would need some other functionality added from a different library. For example you could use fab to authenticate the user and then use a casbin model to provide authorization. ### Related issues _No response_ ### Are you willing to submit a PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
