This is an automated email from the ASF dual-hosted git repository.
eladkal pushed a commit to branch v3-1-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v3-1-test by this push:
new d12f014756f [v3-1-test] fix: always include kid in JWT header for
symmetric key tokens (#62883) (#62943)
d12f014756f is described below
commit d12f014756f3145f5cb48765cd2bd505b98e4081
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Mar 5 18:08:39 2026 +0200
[v3-1-test] fix: always include kid in JWT header for symmetric key tokens
(#62883) (#62943)
When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.
This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.
Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec09588c0f627253607de1889b8b79ae20da)
Closes: #62876
Co-authored-by: Yoann <[email protected]>
---
.../src/airflow/api_fastapi/auth/tokens.py | 10 ++++-----
.../tests/unit/api_fastapi/auth/test_tokens.py | 24 ++++++++++++++++++++++
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
index 8fdaed0eb9e..a2511ef2040 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
@@ -372,12 +372,13 @@ def _load_key_from_configured_file() ->
AllowedPrivateKeys | None:
def _generate_kid(gen) -> str:
- if not gen._private_key:
- return "not-used"
-
+ # Always check config first — both symmetric and asymmetric keys can have
a configured kid
if kid := _conf_factory("api_auth", "jwt_kid", fallback=None)():
return kid
+ if not gen._private_key:
+ return "not-used"
+
# Generate it from the thumbprint of the private key
info = key_to_jwk_dict(gen._private_key)
return info["kid"]
@@ -457,8 +458,7 @@ class JWTGenerator:
if extras is not None:
claims = extras | claims
headers = {"alg": self.algorithm, **(headers or {})}
- if self._private_key:
- headers["kid"] = self.kid
+ headers["kid"] = self.kid
return jwt.encode(claims, self.signing_arg, algorithm=self.algorithm,
headers=headers)
diff --git a/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
b/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
index 14b6957ee65..6639fd6583f 100644
--- a/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
+++ b/airflow-core/tests/unit/api_fastapi/auth/test_tokens.py
@@ -126,6 +126,30 @@ def test_with_secret_key():
assert generator.signing_arg == "abc"
+def test_secret_key_token_includes_kid_in_header():
+ """Symmetric (secret_key) tokens must include 'kid' in the JWT header so
the validator accepts them."""
+ generator = JWTGenerator(secret_key="test-secret", audience="test",
valid_for=60)
+ token = generator.generate({"sub": "user"})
+ header = jwt.get_unverified_header(token)
+ assert "kid" in header, "kid must always be present in the JWT header"
+ assert header["kid"] == "not-used"
+
+
+def test_secret_key_with_configured_kid():
+ """When jwt_kid is configured, symmetric key generators should use it."""
+ from unittest.mock import patch
+
+ with patch.dict(
+ "os.environ",
+ {"AIRFLOW__API_AUTH__JWT_KID": "my-custom-kid"},
+ ):
+ generator = JWTGenerator(secret_key="test-secret", audience="test",
valid_for=60)
+ assert generator.kid == "my-custom-kid"
+ token = generator.generate({"sub": "user"})
+ header = jwt.get_unverified_header(token)
+ assert header["kid"] == "my-custom-kid"
+
+
@pytest.fixture
def jwt_generator(ed25519_private_key: Ed25519PrivateKey):
key = ed25519_private_key
