Fix Keycloak double-slash URL bug (#61121) (#61305)

* Fix Keycloak double-slash URL bug (#61121)

- Normalize server_url in _get_token_url to prevent double-slashes
- Add .rstrip('/') to handle trailing slashes in server_url configuration
- Add comprehensive tests for URL normalization scenarios
- Resolves compatibility issue with Keycloak 26.4+ strict path validation

When server_url has a trailing slash (e.g., 'https://host/auth/'),
the previous implementation would create invalid URLs with double-slashes
(e.g., 'https://host/auth//realms/...'), which Keycloak 26.4+ rejects
with HTTP 400 'missingNormalization' error.

This fix allows users to configure server_url with or without trailing
slashes while ensuring properly normalized URLs are always generated.

Fixes #61121

* Refactor URL normalization tests to use parametrize

- Consolidate 4 separate test methods into a single parametrized test
- Improves maintainability and reduces code duplication
- Covers same scenarios: no trailing slash, single slash, multiple slashes, root path

Author: y-sudharshan

providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py

@@ -412,7 +412,8 @@ def _is_batch_authorized(
 
     @staticmethod
     def _get_token_url(server_url, realm):
-        return f"{server_url}/realms/{realm}/protocol/openid-connect/token"
+        # Normalize server_url to avoid double slashes (required for Keycloak 26.4+ strict path validation).
+        return f"{server_url.rstrip('/')}/realms/{realm}/protocol/openid-connect/token"
 
     @staticmethod
     def _get_payload(client_id: str, permission: str, attributes: dict[str, str] | None = None):

providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py

@@ -559,3 +559,29 @@ def test_get_keycloak_client_with_no_credentials(self, mock_keycloak_openid, aut
             client_secret_key="client_secret",
         )
         assert client == mock_keycloak_openid.return_value
+
+    @pytest.mark.parametrize(
+        ("server_url", "expected_url"),
+        [
+            (
+                "https://keycloak.example.com/auth",
+                "https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token",
+            ),
+            (
+                "https://keycloak.example.com/auth/",
+                "https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token",
+            ),
+            (
+                "https://keycloak.example.com/auth///",
+                "https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token",
+            ),
+            (
+                "https://keycloak.example.com/",
+                "https://keycloak.example.com/realms/myrealm/protocol/openid-connect/token",
+            ),
+        ],
+    )
+    def test_get_token_url_normalization(self, auth_manager, server_url, expected_url):
+        """Test that _get_token_url normalizes server_url by stripping trailing slashes."""
+        token_url = auth_manager._get_token_url(server_url, "myrealm")
+        assert token_url == expected_url