YoannAbriel opened a new pull request, #62883:
URL: https://github.com/apache/airflow/pull/62883
## Problem
When using `KeycloakAuthManager` (or any auth manager) with symmetric JWT
signing (HS256 + secret key), the authentication flow enters an infinite
redirect loop. After successful login, the internal session JWT is rejected by
the FastAPI `JWTValidator` with: `Missing 'kid' in token header`.
## Root Cause
`JWTGenerator.generate()` only added the `kid` field to the JWT header when
using asymmetric (private key) signing. Symmetric (secret key) tokens never got
`kid` in the header. However, `JWTValidator._get_kid_from_header()`
unconditionally requires `kid` in the token header, causing all symmetric-key
tokens to fail validation.
Additionally, `_generate_kid()` returned `"not-used"` immediately for
symmetric keys without checking the `api_auth.jwt_kid` configuration, so
operators couldn't set a meaningful `kid` for their symmetric setup.
## Fix
Two changes in `airflow-core/src/airflow/api_fastapi/auth/tokens.py`:
1. **Always include `kid` in the JWT header** — removed the `if
self._private_key:` guard so `headers["kid"] = self.kid` runs for both
symmetric and asymmetric keys.
2. **Check configured `jwt_kid` before falling back** — reordered
`_generate_kid()` to check the `api_auth.jwt_kid` config option first, before
returning the `"not-used"` fallback for symmetric keys. This lets operators
configure a custom `kid` regardless of key type.
Added two unit tests: one verifying symmetric tokens include `kid` in the
header, another verifying the configured `jwt_kid` is respected for symmetric
keys.
Closes: #62876
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code
Generated-by: Claude Code following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
---
* Read the **[Pull Request
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
for more information. Note: commit author/co-author name and email in commits
become permanently public when merged.
* For fundamental code changes, an Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
is needed.
* When adding dependency, check compliance with the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
* For significant user-facing changes create newsfragment:
`{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
