astronomer
diff --git a/‎providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Lines changed: 123 additions & 22 deletions b/‎providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Lines changed: 123 additions & 22 deletions
diff --git a/‎providers/keycloak/src/airflow/providers/keycloak/auth_manager/resources.py
Lines changed: 35 additions & 0 deletions b/‎providers/keycloak/src/airflow/providers/keycloak/auth_manager/resources.py
Lines changed: 35 additions & 0 deletions
@@ -16,16 +16,17 @@
 # under the License.
 from __future__ import annotations
 
-from functools import cached_property
 from typing import TYPE_CHECKING, Any
 from urllib.parse import urljoin
 
+import requests
 from fastapi import FastAPI
-from starlette.middleware.sessions import SessionMiddleware
 
 from airflow.api_fastapi.app import AUTH_MANAGER_FASTAPI_APP_PREFIX
 from airflow.api_fastapi.auth.managers.base_auth_manager import BaseAuthManager, T
 from airflow.configuration import conf
+from airflow.exceptions import AirflowException
+from airflow.providers.keycloak.auth_manager.resources import KeycloakResource
 from airflow.providers.keycloak.auth_manager.user import KeycloakAuthManagerUser
 
 if TYPE_CHECKING:
@@ -52,10 +53,6 @@ class KeycloakAuthManager(BaseAuthManager[KeycloakAuthManagerUser]):
     Leverages Keycloak to perform authentication and authorization in Airflow.
     """
 
-    @cached_property
-    def api_server_endpoint(self) -> str:
-        return conf.get("api", "base_url", fallback="/")
-
     def deserialize_user(self, token: dict[str, Any]) -> KeycloakAuthManagerUser:
         return KeycloakAuthManagerUser(
             user_id=token.pop("user_id"),
@@ -73,7 +70,8 @@ def serialize_user(self, user: KeycloakAuthManagerUser) -> dict[str, Any]:
         }
 
     def get_url_login(self, **kwargs) -> str:
-        return urljoin(self.api_server_endpoint, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/login")
+        base_url = conf.get("api", "base_url", fallback="/")
+        return urljoin(base_url, f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/login")
 
     def is_authorized_configuration(
         self,
@@ -82,7 +80,18 @@ def is_authorized_configuration(
         user: KeycloakAuthManagerUser,
         details: ConfigurationDetails | None = None,
     ) -> bool:
-        return True
+        config_section = details.section if details else None
+        return self._is_authorized(
+            method=method, resource_type=KeycloakResource.CONFIGURATION, user=user
+        ) or (
+            config_section is not None
+            and self._is_authorized(
+                method=method,
+                resource_type=KeycloakResource.CONFIGURATION,
+                user=user,
+                resource_id=config_section,
+            )
+        )
 
     def is_authorized_connection(
         self,
@@ -91,7 +100,13 @@ def is_authorized_connection(
         user: KeycloakAuthManagerUser,
         details: ConnectionDetails | None = None,
     ) -> bool:
-        return True
+        connection_id = details.conn_id if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.CONNECTION, user=user) or (
+            connection_id is not None
+            and self._is_authorized(
+                method=method, resource_type=KeycloakResource.CONNECTION, user=user, resource_id=connection_id
+            )
+        )
 
     def is_authorized_dag(
         self,
@@ -106,12 +121,24 @@ def is_authorized_dag(
     def is_authorized_backfill(
         self, *, method: ResourceMethod, user: KeycloakAuthManagerUser, details: BackfillDetails | None = None
     ) -> bool:
-        return True
+        backfill_id = str(details.id) if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.BACKFILL, user=user) or (
+            backfill_id is not None
+            and self._is_authorized(
+                method=method, resource_type=KeycloakResource.BACKFILL, user=user, resource_id=backfill_id
+            )
+        )
 
     def is_authorized_asset(
         self, *, method: ResourceMethod, user: KeycloakAuthManagerUser, details: AssetDetails | None = None
     ) -> bool:
-        return True
+        asset_id = details.id if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.ASSET, user=user) or (
+            asset_id is not None
+            and self._is_authorized(
+                method=method, resource_type=KeycloakResource.ASSET, user=user, resource_id=asset_id
+            )
+        )
 
     def is_authorized_asset_alias(
         self,
@@ -120,25 +147,57 @@ def is_authorized_asset_alias(
         user: KeycloakAuthManagerUser,
         details: AssetAliasDetails | None = None,
     ) -> bool:
-        return True
+        asset_alias_id = details.id if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.ASSET_ALIAS, user=user) or (
+            asset_alias_id is not None
+            and self._is_authorized(
+                method=method,
+                resource_type=KeycloakResource.ASSET_ALIAS,
+                user=user,
+                resource_id=asset_alias_id,
+            )
+        )
 
     def is_authorized_variable(
         self, *, method: ResourceMethod, user: KeycloakAuthManagerUser, details: VariableDetails | None = None
     ) -> bool:
-        return True
+        variable_key = details.key if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.VARIABLE, user=user) or (
+            variable_key is not None
+            and self._is_authorized(
+                method=method, resource_type=KeycloakResource.VARIABLE, user=user, resource_id=variable_key
+            )
+        )
 
     def is_authorized_pool(
         self, *, method: ResourceMethod, user: KeycloakAuthManagerUser, details: PoolDetails | None = None
     ) -> bool:
-        return True
+        pool_name = details.name if details else None
+        return self._is_authorized(method=method, resource_type=KeycloakResource.POOL, user=user) or (
+            pool_name is not None
+            and self._is_authorized(
+                method=method, resource_type=KeycloakResource.POOL, user=user, resource_id=pool_name
+            )
+        )
 
     def is_authorized_view(self, *, access_view: AccessView, user: KeycloakAuthManagerUser) -> bool:
-        return True
+        return self._is_authorized(
+            method="GET", resource_type=KeycloakResource.VIEW, user=user
+        ) or self._is_authorized(
+            method="GET",
+            resource_type=KeycloakResource.VIEW,
+            user=user,
+            resource_id=access_view.value,
+        )
 
     def is_authorized_custom_view(
         self, *, method: ResourceMethod | str, resource_name: str, user: KeycloakAuthManagerUser
     ) -> bool:
-        return True
+        return self._is_authorized(
+            method=method, resource_type=KeycloakResource.CUSTOM, user=user
+        ) or self._is_authorized(
+            method=method, resource_type=KeycloakResource.CUSTOM, user=user, resource_id=resource_name
+        )
 
     def filter_authorized_menu_items(
         self, menu_items: list[MenuItem], *, user: KeycloakAuthManagerUser
@@ -156,12 +215,54 @@ def get_fastapi_app(self) -> FastAPI | None:
                 "This sub application provides login routes."
             ),
         )
-        # authlib requires ``SessionMiddleware``
-        app.add_middleware(
-            SessionMiddleware,
-            secret_key=conf.get("api_auth", "jwt_secret"),
-            https_only=False,
-        )
         app.include_router(login_router)
 
         return app
+
+    def _is_authorized(
+        self,
+        *,
+        method: ResourceMethod | str,
+        resource_type: KeycloakResource,
+        user: KeycloakAuthManagerUser,
+        resource_id: str | None = None,
+    ) -> bool:
+        client_id = conf.get("keycloak_auth_manager", "client_id")
+        realm = conf.get("keycloak_auth_manager", "realm")
+        server_url = conf.get("keycloak_auth_manager", "server_url")
+
+        permission = (
+            f"{resource_type.value}:{resource_id}#{method}"
+            if resource_id
+            else f"{resource_type.value}#{method}"
+        )
+        resp = requests.post(
+            self._get_token_url(server_url, realm),
+            data=self._get_payload(client_id, permission),
+            headers=self._get_headers(user.access_token),
+        )
+
+        if resp.status_code == 200:
+            return True
+        if resp.status_code == 403:
+            return False
+        raise AirflowException(f"Unexpected error: {resp.status_code} - {resp.text}")
+
+    @staticmethod
+    def _get_token_url(server_url, realm):
+        return f"{server_url}/realms/{realm}/protocol/openid-connect/token"
+
+    @staticmethod
+    def _get_payload(client_id, permission):
+        return {
+            "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
+            "audience": client_id,
+            "permission": permission,
+        }
+
+    @staticmethod
+    def _get_headers(access_token):
+        return {
+            "Authorization": f"Bearer {access_token}",
+            "Content-Type": "application/x-www-form-urlencoded",
+        }
@@ -0,0 +1,35 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from enum import Enum
+
+
+class KeycloakResource(Enum):
+    """Enum of Keycloak resources."""
+
+    ASSET = "Asset"
+    ASSET_ALIAS = "AssetAlias"
+    BACKFILL = "Backfill"
+    CONFIGURATION = "Configuration"
+    CONNECTION = "Connection"
+    CUSTOM = "Custom"
+    DAG = "Dag"
+    MENU = "Menu"
+    POOL = "Pool"
+    VARIABLE = "Variable"
+    VIEW = "View"