From 9eaad6114f9420073c479a86c581d147c1947995 Mon Sep 17 00:00:00 2001
From: vincbeck <vincbeck@amazon.com>
Date: Wed, 10 Dec 2025 11:22:40 -0500
Subject: [PATCH] Return 403 when the Keycloak access token is expired

---
 .../providers/keycloak/auth_manager/keycloak_auth_manager.py   | 3 +++
 .../unit/keycloak/auth_manager/test_keycloak_auth_manager.py   | 1 +
 2 files changed, 4 insertions(+)

diff --git a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
index 39b3b73c5e894..8a3a4417bdc93 100644
--- a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
+++ b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
@@ -344,6 +344,9 @@ def _is_authorized(
 
         if resp.status_code == 200:
             return True
+        if resp.status_code == 401:
+            log.debug("Received 401 from Keycloak: %s", resp.text)
+            return False
         if resp.status_code == 403:
             return False
         if resp.status_code == 400:
diff --git a/providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py b/providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py
index 74d08e3a8e013..65ef077c3f2cf 100644
--- a/providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py
+++ b/providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py
@@ -205,6 +205,7 @@ def test_refresh_user_expired(self, mock_token_expired, mock_get_keycloak_client
         ("status_code", "expected"),
         [
             [200, True],
+            [401, False],
             [403, False],
         ],
     )