Samin061 opened a new pull request, #69594:
URL: https://github.com/apache/airflow/pull/69594

   The keycloak auth manager sets the session JWT, the OIDC id token, and the 
OAuth state cookie during login, and it decides the cookie Secure flag from 
`secure = bool(conf.get("api", "ssl_cert"))`. That drops the 
`request.base_url.scheme == "https"` term the rest of the codebase uses for the 
same decision, including `logout_callback` a few lines down, the core auth 
manager login/logout, and the refresh-token middleware. When the api-server 
sits behind a proxy that terminates TLS, `ssl_cert` is normally unset in 
Airflow, so with the current check these auth cookies go out without Secure 
even though the browser reached the server over HTTPS. A browser will then also 
attach them to a plaintext http:// request to the same host, which puts the 
session token within reach of a network or SSL-stripping attacker. I noticed it 
while comparing the login and logout handlers in this file, since logout 
already guards on the request scheme. This lines both login routes up with that 
canonical form
  so the cookies carry Secure behind a proxy, and nothing changes when Airflow 
terminates TLS itself or serves plain HTTP.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to