github-actions[bot] opened a new pull request, #62943:
URL: https://github.com/apache/airflow/pull/62943
When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.
This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.
Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec09588c0f627253607de1889b8b79ae20da)
Co-authored-by: Yoann <[email protected]>
Closes: #62876
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
