Re: [PR] Two-token mechanism for task execution to prevent token expiration while tasks wait in executor queues [airflow]

Wed, 25 Mar 2026 18:08:03 -0700 


kaxil commented on code in PR #60108:
URL: https://github.com/apache/airflow/pull/60108#discussion_r2991889424


##########
airflow-core/tests/unit/api_fastapi/execution_api/versions/head/test_task_instances.py:
##########
@@ -3234,6 +3264,44 @@ def test_invalid_scope_value_rejected(self, client, 
session, create_task_instanc
         assert resp.status_code == 403
         assert "Invalid token scope" in resp.json()["detail"]
 
+    def test_workload_scope_accepted_on_run_endpoint(
+        self, client, session, create_task_instance, time_machine
+    ):
+        """workload scoped tokens should be accepted on the /run endpoint."""
+        instant = timezone.parse("2024-10-31T12:00:00Z")
+        time_machine.move_to(instant, tick=False)
+
+        ti = create_task_instance(
+            task_id="test_workload_run",
+            state=State.QUEUED,
+            dagrun_state=DagRunState.RUNNING,
+            session=session,
+            start_date=instant,
+            dag_id=str(uuid4()),
+        )
+        session.commit()
+
+        validator = mock.AsyncMock(spec=JWTValidator)
+        validator.avalidated_claims.side_effect = lambda cred, validators: {
+            "sub": str(ti.id),
+            "scope": "workload",
+            "exp": 9999999999,
+            "iat": 1000000000,
+        }
+        lifespan.registry.register_value(JWTValidator, validator)

Review Comment:
   This `JWTValidator` registration is dead code -- the `client` fixture's 
`mock_jwt_bearer` overrides `_jwt_bearer` via FastAPI dependency overrides, so 
FastAPI never calls the real `_jwt_bearer` (which would use `JWTValidator` from 
the registry). Every request through `client` gets `scope: "execution"` 
regardless of what's registered here.
   
   The test passes because execution-scoped tokens are allowed on `/run`, not 
because workload-scoped tokens are. To actually test workload token acceptance, 
the test needs to either:
   1. Remove the `_jwt_bearer` dependency override for this test and let the 
real auth flow use this `JWTValidator`, or
   2. Override `mock_jwt_bearer` to return `TIToken(..., claims={..., "scope": 
"workload"})` instead of the conftest's hardcoded `"scope": "execution"`.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to