potiuk opened a new pull request, #69374:
URL: https://github.com/apache/airflow/pull/69374

   The FAB auth manager's Azure AD OAuth provider decoded the incoming 
`id_token`
   with `verify_signature` defaulting to `False`, so the token payload was 
accepted
   without verifying its signature unless a deployment explicitly set the 
option.
   The Authentik OAuth provider in the same security manager already defaults
   `verify_signature` to `True`.
   
   This change:
   
   - defaults `verify_signature` to `True` for the Azure AD provider, so 
`id_token`
     signatures are verified against the Microsoft JWKS by default, consistent 
with
     the Authentik provider;
   - logs a warning when signature verification is skipped, matching the 
Authentik
     code path.
   
   **Behaviour change / migration:** deployments that intentionally relied on 
the
   previous default must now set `verify_signature: False` explicitly in the 
Azure
   provider `client_kwargs` to keep the old behaviour.
   
   ### Tests
   
   - [x] `test_decode_and_validate_azure_jwt_verifies_signature_by_default`
   - [x] `test_decode_and_validate_azure_jwt_skips_verification_when_opted_out`
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.8 (1M context)
   
   Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
   
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to