This is an automated email from the ASF dual-hosted git repository.
eladkal pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 6b21ec09588 fix: always include kid in JWT header for symmetric key
tokens (#62883)
6b21ec09588 is described below
commit 6b21ec09588c0f627253607de1889b8b79ae20da
Author: Yoann <[email protected]>
AuthorDate: Thu Mar 5 07:09:19 2026 -0800
fix: always include kid in JWT header for symmetric key tokens (#62883)
When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.
This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.
Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
symmetric keys, so operators can set a meaningful kid
Closes: #62876
---
.../src/airflow/api_fastapi/auth/tokens.py | 10 ++++-----
.../tests/unit/api_fastapi/auth/test_tokens.py | 24 ++++++++++++++++++++++
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
index e415cf101f8..4732164be71 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
@@ -382,12 +382,13 @@ def _load_key_from_configured_file() ->
AllowedPrivateKeys | None:
def _generate_kid(gen) -> str:
- if not gen._private_key:
- return "not-used"
-
+ # Always check config first — both symmetric and asymmetric keys can have
a configured kid
if kid := _conf_factory("api_auth", "jwt_kid", fallback=None)():
return kid
+ if not gen._private_key:
+ return "not-used"
+
# Generate it from the thumbprint of the private key
info = key_to_jwk_dict(gen._private_key)
return info["kid"]
@@ -467,8 +468,7 @@ class JWTGenerator:
if extras is not None:
claims = extras | claims
headers = {"alg": self.algorithm, **(headers or {})}
- if self._private_key:
- headers["kid"] = self.kid
+ headers["kid"] = self.kid
return jwt.encode(claims, self.signing_arg, algorithm=self.algorithm,
headers=headers)
diff --git a/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
b/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
index b4caee15d3f..e477c42af4f 100644
--- a/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
+++ b/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
@@ -136,6 +136,30 @@ def test_with_secret_key():
assert generator.signing_arg == "abc"
+def test_secret_key_token_includes_kid_in_header():
+ """Symmetric (secret_key) tokens must include 'kid' in the JWT header so
the validator accepts them."""
+ generator = JWTGenerator(secret_key="test-secret", audience="test",
valid_for=60)
+ token = generator.generate({"sub": "user"})
+ header = jwt.get_unverified_header(token)
+ assert "kid" in header, "kid must always be present in the JWT header"
+ assert header["kid"] == "not-used"
+
+
+def test_secret_key_with_configured_kid():
+ """When jwt_kid is configured, symmetric key generators should use it."""
+ from unittest.mock import patch
+
+ with patch.dict(
+ "os.environ",
+ {"AIRFLOW__API_AUTH__JWT_KID": "my-custom-kid"},
+ ):
+ generator = JWTGenerator(secret_key="test-secret", audience="test",
valid_for=60)
+ assert generator.kid == "my-custom-kid"
+ token = generator.generate({"sub": "user"})
+ header = jwt.get_unverified_header(token)
+ assert header["kid"] == "my-custom-kid"
+
+
@pytest.fixture
def jwt_generator(ed25519_private_key: Ed25519PrivateKey):
key = ed25519_private_key
