Subham-KRLX commented on issue #62876:
URL: https://github.com/apache/airflow/issues/62876#issuecomment-3998828806
The 401 loop happens because internal session tokens (signed with
jwt_secret) lack a
kid header, but JWTValidator strictly requires one when trusted_jwks_url is
set.
Proposed Fix: Update JWTValidator._get_validation_key to fallback to
self.secret_key if the kid header is missing. This allows local tokens to
coexist with Keycloak's JWKS.
# airflow.api_fastapi.auth.tokens.JWTValidator
async def _get_validation_key(self, unvalidated: str):
try:
kid = self._get_kid_from_header(unvalidated)
return await self.jwks.get_key(kid)
except (jwt.InvalidTokenError, KeyError):
if self.secret_key: return self.secret_key
raise
Verified locally; this resolves the "Missing kid" error and restores the
auth flow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
