Unable to configure DAG-level RBAC with Keycloak Auth Manager: Missing dag_id in context

[ddroessler-ext]

Apache Airflow Provider(s)

keycloak

Versions of Apache Airflow Providers

apache-airflow-providers-keycloak==0.5.0
python-keycloak==7.0.1

Apache Airflow version

3.1.6

Operating System

openSUSE Tumbleweed

Deployment

Virtualenv installation

Deployment details

• Keycloak
  • Start Keycloak 23.0.6 via breeze keycloak integration
  • Create permissions, scopes & resources via airflow keycloak-auth-manager create-all
  • Configure user, admin role and role assignment in Keycloak admin UI
• Airflow

  • Airflow 3.1.6 + keycloak auth manager 0.5.0 are installed in separate venv via pip:

    pip install "apache-airflow[celery,keycloak]==3.1.6" --constraint  "https://raw.githubusercontent.com/apache/airflow/constraints-3.1.6/constraints-3.12.txt"
    pip install apache-airflow-providers-keycloak==0.5.0
    

  • Only changes to default airflow.cfg are those required for keycloak_auth_manager:

    [core]
    auth_manager = airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager
    [keycloak_auth_manager]
    client_id = airflow
    client_secret = [REDACTED]
    realm = airflow
    server_url = http://localhost:48080
    

What happened

Following request is sent to Keycloak by the Keycloak auth manager (captured via Wireshark):
POST /realms/airflow/protocol/openid-connect/token HTTP/1.1 (application/x-www-form-urlencoded)
Form data:

grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
audience=airflow
permission=Dag#GET
context=attributes

Note the literal context=attributes in the form data.

When checking on Keycloak side, only the default context attributes are available to JavaScript-based policies:

ctx.attr[kc.realm.name] = [airflow]
ctx.attr[kc.client.user_agent] = [python-requests/2.32.5]
ctx.attr[kc.client.network.ip_address] = [172.18.0.1]
ctx.attr[kc.client.network.host] = [172.18.0.1]
ctx.attr[kc.client.id] = [airflow]
ctx.attr[kc.time.date_time] = [2026-01-27 14:46:36]

What you think should happen instead

Context attributes like dag_id should be sent to Keycloak instead "context=attributes"

How to reproduce

1. Start configured Airflow & Keycloak (e.g., via breeze)
2. Ensure official example dags are loaded (load_examples = True in airflow.cfg [core] section)
3. Start network capture (e.g., Wireshark)
4. Login to Airflow through Keycloak
5. Open /dags/asset_produces_1 to produce a GET /api/v2/dags/asset_produces_1 request
6. Observe POST /realms/airflow/protocol/openid-connect/token with form data:

   grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
   audience=airflow
   permission=Dag#GET
   context=attributes
   

Anything else

Maybe related to #51486?

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[sanchalitorpe-source]

Hi, I’d like to work on this issue and submit a PR.

I’m looking into how the KeycloakAuthManager builds the UMA token request and how context attributes can be passed (e.g. dag_id).

Please let me know if there are any constraints or preferred approaches before I proceed.