nileshpatil6 opened a new pull request, #67967: URL: https://github.com/apache/airflow/pull/67967
Fixes #67939 ## Problem Long-running tasks (running longer than `EXECUTION_API__JWT_EXPIRATION_TIME`, default 600 s) fail to send heartbeats because their execution-scoped JWT expires. When the token expires: 1. The security middleware rejects the request with 403. 2. `JWTReissueMiddleware` tries to refresh the token by calling `avalidated_claims` -- this also raises `ExpiredSignatureError`. 3. No `Refreshed-API-Token` header is set on the 403 response. 4. The client's tenacity retries all use the same expired token and keep getting 403. 5. After `MAX_FAILED_HEARTBEATS` consecutive failures the supervisor kills the task. The proactive 80 % refresh works for tokens that are *near* expiry, but cannot help once the token has already crossed its `exp` boundary. ## Fix Add `avalidated_claims_ignoring_expiry` to `JWTValidator`. This method verifies the signature, audience, and issuer exactly like `avalidated_claims`, but passes `"verify_exp": False` to `jwt.decode` so it does not raise on an already-expired token. `JWTReissueMiddleware` now catches `ExpiredSignatureError` from the regular validation, calls `avalidated_claims_ignoring_expiry` to recover the claims with full signature verification, and sets `Refreshed-API-Token` on the 403 response. Workload-scoped tokens are excluded from this path (same as the existing proactive refresh). The existing `_update_auth` response hook in the SDK client already updates the `Bearer` token from `Refreshed-API-Token` before the error is raised, so the tenacity retry fires with a fresh token and succeeds. No client-side changes are needed. ## Changes - `airflow-core/src/airflow/api_fastapi/auth/tokens.py`: add `avalidated_claims_ignoring_expiry` to `JWTValidator` - `airflow-core/src/airflow/api_fastapi/execution_api/app.py`: catch `ExpiredSignatureError` in `JWTReissueMiddleware` and issue a replacement token - `airflow-core/tests/unit/api_fastapi/execution_api/versions/head/test_router.py`: add regression tests for expired execution and workload tokens -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
