Add Azure AD OAuth webserver authentication example with role mapping

[suii2210]

This PR adds an advanced Azure Active Directory OAuth example to
webserver-authentication.rst, including webserver_config.py setup,
a custom SecurityManager for parsing token claims, and role/group
mapping to Airflow RBAC roles.

Note: Gen-AI tools were used to assist with drafting the initial version of this documentation.
The content has been reviewed, revised, and validated manually.

Docs-only change.
Fixes #60748

[shahar1]

Hey Shruti,

I'd kindly suggest to read and adhere to the guidelines regarding Gen-AI contributions.
Specifically:

• Ensure that you review and understand all code generated by Gen-AI tools before including it in your PR - do not blindly trust the generated code.
• State in your PR description that you have used Gen-AI tools to assist in creating the PR.

You've created an entire new document regarding the usage of Azure AD in the securty docs of Airflow's core, instead of modifying the existing one in the fab provider - and I do suspect that it's the direct result of uncontrolled AI usage (which is not mentioned as well). Using AI like that makes it difficult for maintainers to assess the reliability and credibility of the contribution.
I'm happy to see your recent activity in the project and I'm aware that you make a lot of effort - but please consider it for your next contributions.
If you want to fix this PR, feel free - but I'll appreciate if you could try to do it without further usage of AI, and test that it actually works.

[suii2210]

Hey Shruti,

I'd kindly suggest to read and adhere to the guidelines regarding Gen-AI contributions. Specifically:

• Ensure that you review and understand all code generated by Gen-AI tools before including it in your PR - do not blindly trust the generated code.
• State in your PR description that you have used Gen-AI tools to assist in creating the PR.

You've created an entire new document regarding the usage of Azure AD in the securty docs of Airflow's core, instead of modifying the existing one in the fab provider - and I do suspect that it's the direct result of uncontrolled AI usage (which is not mentioned as well). Using AI like that makes it difficult for maintainers to assess the reliability and credibility of the contribution. I'm happy to see your recent activity in the project and I'm aware that you make a lot of effort - but please consider it for your next contributions. If you want to fix this PR, feel free - but I'll appreciate if you could try to do it without further usage of AI, and test that it actually works.

I'm So Sorry about this - I should have handled it better.
I missed the Gen-AI disclosure in the PR description and I also placed the Azure AD example in the core security docs instead of extending the existing FAB provider documentation. That was my mistake.
I’ve now fixed this by:

• Moving the Azure AD example into the existing Flask-AppBuilder webserver authentication docs
• Removing the standalone core security document
• Updating the PR description to explicitly disclose Gen-AI usage
• Reducing the scope to a concrete, example-level addition consistent with existing FAB OAuth examples.

[shahar1]

Hey Shruti,

I'd kindly suggest to read and adhere to the guidelines regarding Gen-AI contributions. Specifically:

• Ensure that you review and understand all code generated by Gen-AI tools before including it in your PR - do not blindly trust the generated code.
• State in your PR description that you have used Gen-AI tools to assist in creating the PR.

You've created an entire new document regarding the usage of Azure AD in the securty docs of Airflow's core, instead of modifying the existing one in the fab provider - and I do suspect that it's the direct result of uncontrolled AI usage (which is not mentioned as well). Using AI like that makes it difficult for maintainers to assess the reliability and credibility of the contribution. I'm happy to see your recent activity in the project and I'm aware that you make a lot of effort - but please consider it for your next contributions. If you want to fix this PR, feel free - but I'll appreciate if you could try to do it without further usage of AI, and test that it actually works.

I'm So Sorry about this - I should have handled it better.
I missed the Gen-AI disclosure in the PR description and I also placed the Azure AD example in the core security docs instead of extending the existing FAB provider documentation. That was my mistake.
I’ve now fixed this by:

• Moving the Azure AD example into the existing Flask-AppBuilder webserver authentication docs
• Removing the standalone core security document
• Updating the PR description to explicitly disclose Gen-AI usage
• Reducing the scope to a concrete, example-level addition consistent with existing FAB OAuth examples.

Apology accepted :)
It looks better, but still I have no way to assess that it actually works as I don't work with Azure (yet).
Are you (or anyone else, maybe issue's OP) able to test that it works as expected?

[suii2210]

Hey @shahar1 ,
I don’t currently have access to an Azure AD tenant to test this end-to-end myself.
The example is based on the existing Flask-AppBuilder OAuth patterns used in the
GitHub and Keycloak examples, and on Azure AD’s documented token claims (groups /
roles) when enabled in the app registration.

[vincbeck]

It would be ideal to test it. Documentation is very important and users rely a lot on it, that's why we should test what we put in documentation

[suii2210]

Hi @shahar1 ,
Got the idea behind this example. I’m testing it now and will confirm once it works successfully

[suii2210]

Hi @vincbeck @shahar1 @potiuk ,

I’ve now tested this end-to-end using a real Azure AD tenant. I configured an Azure app registration with OAuth enabled, set up the redirect URI, enabled role/group claims, and used the example webserver_config.py configuration (including a custom SecurityManager) as documented.The OAuth flow completed successfully, including Azure MFA approval, and Airflow authenticated the user and mapped Azure role/group claims to the expected Airflow RBAC role on first login.
Testing was performed against Apache Airflow 3.1.6. The configuration shown in the docs lives in $AIRFLOW_HOME/webserver_config.py (deployment-specific) and is therefore intentionally not included in the repository.
Please let me know if you’d like me to add any additional clarification or notes to the documentation.

[shahar1]

Well done @suii2210 for testing it thoroughly!
If you're ok with it, I'd be happy if you could add a screenshot or two to show the users what it looks like when the configuration is finalized on Azure's UI/CLI (if you choose to do so - please make sure that the image is properly cropped and doesn't expose your personal details).
Please let me know if it works for you, I'm ok with merging it either way.
Thank you!

[suii2210]

Well done @suii2210 for testing it thoroughly! If you're ok with it, I'd be happy if you could add a screenshot or two to show the users what it looks like when the configuration is finalized on Azure's UI/CLI (if you choose to do so - please make sure that the image is properly cropped and doesn't expose your personal details). Please let me know if it works for you, I'm ok with merging it either way. Thank you!

Yea sure here is the screenshot of the test result .

figure-1 : azure-ad-authentication.png
Azure AD app registration authentication settings

Example Azure AD app registration authentication settings showing the redirect URI
configured for Airflow OAuth.

figure - 2 : azure-ad-token-claims.png
Azure AD token configuration with group or role claims enabled

Example Azure AD token configuration enabling group or role claims for RBAC mapping.

[shahar1]

Well done @suii2210 for testing it thoroughly! If you're ok with it, I'd be happy if you could add a screenshot or two to show the users what it looks like when the configuration is finalized on Azure's UI/CLI (if you choose to do so - please make sure that the image is properly cropped and doesn't expose your personal details). Please let me know if it works for you, I'm ok with merging it either way. Thank you!

Yea sure here is the screenshot of the test result .

figure-1 : azure-ad-authentication.png
Azure AD app registration authentication settings

Example Azure AD app registration authentication settings showing the redirect URI
configured for Airflow OAuth.

figure - 2 : azure-ad-token-claims.png
Azure AD token configuration with group or role claims enabled

Example Azure AD token configuration enabling group or role claims for RBAC mapping.

Thanks! Could you please add them to the instructions (including all the details) and I'll merge?

[suii2210]

Well done @suii2210 for testing it thoroughly! If you're ok with it, I'd be happy if you could add a screenshot or two to show the users what it looks like when the configuration is finalized on Azure's UI/CLI (if you choose to do so - please make sure that the image is properly cropped and doesn't expose your personal details). Please let me know if it works for you, I'm ok with merging it either way. Thank you!

Yea sure here is the screenshot of the test result .
figure-1 : azure-ad-authentication.png
Azure AD app registration authentication settings
Example Azure AD app registration authentication settings showing the redirect URI
configured for Airflow OAuth.
figure - 2 : azure-ad-token-claims.png
Azure AD token configuration with group or role claims enabled
Example Azure AD token configuration enabling group or role claims for RBAC mapping.

Thanks! Could you please add them to the instructions (including all the details) and I'll merge?

Sure, added
Thanks !

[jscheffl]

Cool! Thanks.