(airflow) branch main updated: Check `id_token` format before redirecting in Keycloak auth manager (#62813)

[vincbeck]

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new f8ff3cc2203 Check `id_token` format before redirecting in Keycloak 
auth manager (#62813)
f8ff3cc2203 is described below

commit f8ff3cc2203edbf1dc4e12669c0594f6f1466fd4
Author: Vincent <97131062+vincb...@users.noreply.github.com>
AuthorDate: Tue Mar 3 15:30:58 2026 -0500

    Check `id_token` format before redirecting in Keycloak auth manager (#62813)
---
 .../src/airflow/providers/keycloak/auth_manager/routes/login.py     | 3 ++-
 .../keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py  | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git 
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
 
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
index 941f6d21dd4..7c2c4b5e250 100644
--- 
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
+++ 
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
@@ -121,7 +121,8 @@ def logout(request: Request):
     base_url = conf.get("api", "base_url", fallback="/")
     post_logout_redirect_uri = urljoin(base_url, 
f"{AUTH_MANAGER_FASTAPI_APP_PREFIX}/logout_callback")
 
-    if id_token:
+    # Validate id_token format before using in redirect (JWT tokens have 3 
parts separated by dots)
+    if id_token and id_token.count(".") == 2 and all(c.isalnum() or c in ".-_" 
for c in id_token):
         encoded_id_token = quote(id_token, safe="")
         logout_url = (
             
f"{end_session_endpoint}?post_logout_redirect_uri={post_logout_redirect_uri}"
diff --git 
a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py 
b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
index 834fee5f0ae..fd235ea46be 100644
--- a/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
+++ b/providers/keycloak/tests/unit/keycloak/auth_manager/routes/test_login.py
@@ -85,7 +85,11 @@ class TestLoginRouter:
             (None, "/auth/logout_callback"),
             (
                 "id_token",
-                
"logout_url?post_logout_redirect_uri=/auth/logout_callback&id_token_hint=id_token",
+                "/auth/logout_callback",
+            ),
+            (
+                "id_token.real.value",
+                
"logout_url?post_logout_redirect_uri=/auth/logout_callback&id_token_hint=id_token.real.value",
             ),
         ],
     )