potiuk opened a new pull request, #69374:
URL: https://github.com/apache/airflow/pull/69374
The FAB auth manager's Azure AD OAuth provider decoded the incoming
`id_token`
with `verify_signature` defaulting to `False`, so the token payload was
accepted
without verifying its signature unless a deployment explicitly set the
option.
The Authentik OAuth provider in the same security manager already defaults
`verify_signature` to `True`.
This change:
- defaults `verify_signature` to `True` for the Azure AD provider, so
`id_token`
signatures are verified against the Microsoft JWKS by default, consistent
with
the Authentik provider;
- logs a warning when signature verification is skipped, matching the
Authentik
code path.
**Behaviour change / migration:** deployments that intentionally relied on
the
previous default must now set `verify_signature: False` explicitly in the
Azure
provider `client_kwargs` to keep the old behaviour.
### Tests
- [x] `test_decode_and_validate_azure_jwt_verifies_signature_by_default`
- [x] `test_decode_and_validate_azure_jwt_skips_verification_when_opted_out`
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.8 (1M context)
Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]