GitHub user stephen-bracken created a discussion: Split out Authorization from Authentication
### Description The airflow auth manager is responsible for both authentication and authorization of the user. By splitting the authentication component out into a separate module, authorization could be done by a separate provider, e.g. using fab to provide authentication via OIDC and then using keycloak to provide authorization ### Use case/motivation The casbin authorization library is a powerful policy engine, but does not support authentication. It expects users to already have their identity authenticated, and then provides those users with roles based on the policy. A good fit for the airflow security model would be the [RBAC with domains](https://casbin.apache.org/docs/rbac-with-domains) model. However Casbin alone would not provide enough functionality to create an auth manager, so another library would be required to perform authorization. Therefore if a 'casbin' provider were to be created, it would not actually be using casbin for the authentication, but rather would need some other functionality added from a different library. For example you could use fab to authenticate the user and then use a casbin model to provide authorization. ### Related issues _No response_ ### Are you willing to submit a PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) GitHub link: https://github.com/apache/airflow/discussions/65111 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
