This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 44c20319c56 Raise InvalidJwtError in JWTValidator.avalidated_claims
when kid does not match. (#67909)
44c20319c56 is described below
commit 44c20319c56dc9aff4fd9ce80ba6d2641baab379
Author: stephen-bracken <[email protected]>
AuthorDate: Wed Jun 3 14:18:50 2026 +0100
Raise InvalidJwtError in JWTValidator.avalidated_claims when kid does not
match. (#67909)
---
airflow-core/src/airflow/api_fastapi/auth/tokens.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
index 707d427101c..4ba1943c577 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
@@ -319,7 +319,10 @@ class JWTValidator:
self, unvalidated: str, required_claims: dict[str, Any] | None = None
) -> dict[str, Any]:
"""Decode the JWT token, returning the validated claims or raising an
exception."""
- key = await self._get_validation_key(unvalidated)
+ try:
+ key = await self._get_validation_key(unvalidated)
+ except KeyError:
+ raise jwt.InvalidTokenError("Kid did not match any validation
keys")
algorithms = self.algorithm
validation_key: str | jwt.PyJWK | Any = key
if algorithms == ["GUESS"] and isinstance(key, jwt.PyJWK):
