By
Vincent Beck
As organizations scale their data platforms, managing access to Apache Airflow becomes increasingly complex. In this talk, we introduce the Keycloak Auth Manager — a pluggable authentication and authorization backend for Airflow that delegates identity management to Keycloak, a battle-tested open-source Identity and Access Management solution.
We’ll start with the big picture: what problem does the Keycloak Auth Manager solve, and why Keycloak? We’ll walk through the architecture — how Airflow’s auth manager interface works, how the Keycloak integration hooks into it, and how authentication flows (OIDC/OAuth2) and authorization (role mapping, resource-based permissions) are handled under the hood.
In the second part, we shift to the user perspective with a demo. You’ll see how to configure and deploy the integration, how end users experience SSO login, and how administrators manage roles and permissions in Keycloak that reflect directly in Airflow’s UI and API.
Finally, We’ll also touch on how Keycloak naturally fits into multi-team scenarios, and what that unlocks for teams operating at scale.
Key takeaways:
- Understand how Airflow’s pluggable auth manager interface works
- Learn how Keycloak handles authentication (OIDC) and authorization (roles/permissions) for Airflow
- See a real-world deployment in action, from config to login to access control
- Walk away with practical tips for adopting this in your own stack
Vincent Beck
Apache Airflow PMC Member | Sr Software Development Engineer @ AWS