Fix OAuth session race condition causing false 401 errors during login (#61287)

* Fix OAuth session race condition causing false 401 errors during login

Fixes #57981

When users authenticate via Azure OAuth SSO (and other OAuth providers),
the UI briefly displays an authentication error message during the OAuth
redirect flow. The error appears for approximately 1 second before
disappearing once authentication successfully completes.

Root Cause:
The issue stems from a race condition during the OAuth authentication flow.
After the OAuth callback completes and the user is authenticated, the Flask
session containing OAuth tokens and user data may not be fully committed to
the session backend (cookie or database) before the redirect response is sent
to the client. When the UI loads and immediately makes API requests (like
/ui/config), these requests arrive before the session is available, causing
temporary 401 Unauthorized errors.

Solution:
This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's
AuthOAuthView to explicitly ensure the session is committed before redirecting.
The fix:

1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py
   with CustomAuthOAuthView class
2. Override oauth_authorized() method to mark session.modified = True after
   parent's OAuth callback handling completes
3. Updated security_manager/override.py to use CustomAuthOAuthView instead of
   the default AuthOAuthView

This ensures Flask's session interface saves the session via the after_request
handler before the HTTP redirect response is sent to the client, eliminating
the race condition.

The fix addresses the root cause as suggested by maintainer feedback on
PR #58037, rather than masking the error in the UI.

Testing:
- Syntax validated with py_compile
- Works with both session backends (database and securecookie)
- Maintains backward compatibility with existing OAuth flows

Related Issues:
- #55612 - Airflow UI initial XHR returns 401 before session cookie is set
- #57534 - Airflow 3.1.1 oauth login failure
- #57485 - Airflow 3.1.1 oauth login broken
- PR #58037 - Previous UI-based workaround attempt (closed)

Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>

* Fix logging to use %-formatting instead of f-strings

* Add tests for CustomAuthOAuthView

* Fix linting and formatting issues in OAuth session race condition fix

Remove unused imports, fix import ordering, and apply ruff formatting:
- Remove unused pytest import from test_auth_oauth.py
- Remove unused AuthOAuthView import from override.py
- Fix import ordering to comply with ruff formatting rules
- Apply ruff format to test file

* Address PR review feedback from SameerMesiah97

- Remove redundant if/else branching that did the same thing in both paths
- Fix misleading "completed successfully" log message to neutral wording
- Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView
- Consolidate duplicate backend tests into a single parametrized test

* Fix test RuntimeError by avoiding Flask session LocalProxy access

Use mock.patch with new= as context manager instead of decorator to
prevent mock from inspecting the Flask session LocalProxy, which
requires an active request context.

---------

Signed-off-by: Jgprog117 <gustafsonjosef@gmail.com>

Author: Jgprog117

providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py

@@ -51,7 +51,6 @@
 from flask_appbuilder.security.views import (
     AuthDBView,
     AuthLDAPView,
-    AuthOAuthView,
     AuthRemoteUserView,
     AuthView,
     RegisterUserModelView,
@@ -81,6 +80,7 @@
 )
 from airflow.providers.fab.auth_manager.models.anonymous_user import AnonymousUser
 from airflow.providers.fab.auth_manager.security_manager.constants import EXISTING_ROLES
+from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView
 from airflow.providers.fab.auth_manager.views.permissions import (
     ActionModelView,
     PermissionPairModelView,
@@ -187,8 +187,8 @@ class FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
     """ Override if you want your own Authentication DB view """
     authldapview = AuthLDAPView
     """ Override if you want your own Authentication LDAP view """
-    authoauthview = AuthOAuthView
-    """ Override if you want your own Authentication OAuth view """
+    authoauthview = CustomAuthOAuthView
+    """ Custom Authentication OAuth view with session commit fix for #57981 """
     authremoteuserview = AuthRemoteUserView
     """ Override if you want your own Authentication REMOTE_USER view """
     registeruserdbview = RegisterUserDBView

providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py

@@ -0,0 +1,72 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Custom OAuth authentication view to fix session timing race condition."""
+
+from __future__ import annotations
+
+import logging
+
+from flask import session
+from flask_appbuilder.security.views import AuthOAuthView
+
+from airflow.configuration import conf
+
+log = logging.getLogger(__name__)
+
+
+class CustomAuthOAuthView(AuthOAuthView):
+    """
+    Custom OAuth authentication view that ensures session is committed before redirect.
+
+    Fixes issue #57981 where UI requests fail with 401 during OAuth flow because
+    the Flask session is not yet committed when the redirect response is sent.
+    """
+
+    def oauth_authorized(self, provider):
+        """
+        OAuth callback handler that explicitly commits session before redirect.
+
+        This method overrides the parent's oauth_authorized to ensure that the
+        Flask session (containing OAuth tokens and user authentication) is fully
+        committed to the session backend (cookie or database) before redirecting
+        the user to the UI.
+
+        This prevents the race condition where the UI makes API requests before
+        the session is available, causing temporary 401 errors during login.
+
+        Args:
+            provider: OAuth provider name (e.g., 'azure', 'google', 'github')
+
+        Returns:
+            Flask response object (redirect to original URL or home page)
+        """
+        log.debug("OAuth callback received for provider: %s", provider)
+
+        # Call parent's OAuth callback handling
+        # This processes the OAuth response, authenticates the user, and sets session data
+        response = super().oauth_authorized(provider)
+
+        # Explicitly mark the Flask session as modified to ensure it's persisted
+        # before the redirect response is sent to the client
+        session.modified = True
+        session_backend = conf.get("fab", "SESSION_BACKEND", fallback="securecookie")
+        log.debug("Marked session as modified for %s backend", session_backend)
+
+        log.debug("OAuth callback handling completed for provider: %s", provider)
+
+        return response

providers/fab/tests/unit/fab/auth_manager/views/test_auth_oauth.py

@@ -0,0 +1,61 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from __future__ import annotations
+
+from unittest import mock
+
+import pytest
+from flask_appbuilder.security.views import AuthOAuthView
+
+from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView
+
+
+class TestCustomAuthOAuthView:
+    """Test CustomAuthOAuthView."""
+
+    @pytest.mark.parametrize("backend", ["database", "securecookie"])
+    @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf")
+    def test_oauth_authorized_marks_session_modified(self, mock_conf, backend):
+        """Test that oauth_authorized marks session as modified regardless of backend."""
+        mock_conf.get.return_value = backend
+        mock_session = mock.MagicMock()
+        view = CustomAuthOAuthView()
+
+        with (
+            mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session", new=mock_session),
+            mock.patch.object(AuthOAuthView, "oauth_authorized", return_value=mock.Mock()) as mock_parent,
+        ):
+            view.oauth_authorized("test_provider")
+
+            mock_parent.assert_called_once_with("test_provider")
+            assert mock_session.modified is True
+            mock_conf.get.assert_called_once_with("fab", "SESSION_BACKEND", fallback="securecookie")
+
+    @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf")
+    def test_oauth_authorized_returns_parent_response(self, mock_conf):
+        """Test that oauth_authorized returns the response from parent method."""
+        mock_conf.get.return_value = "database"
+        view = CustomAuthOAuthView()
+        mock_response = mock.Mock()
+
+        with (
+            mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session", new=mock.MagicMock()),
+            mock.patch.object(AuthOAuthView, "oauth_authorized", return_value=mock_response),
+        ):
+            result = view.oauth_authorized("google")
+            assert result == mock_response