Samin061 opened a new pull request, #69594:
URL: https://github.com/apache/airflow/pull/69594
The keycloak auth manager sets the session JWT, the OIDC id token, and the
OAuth state cookie during login, and it decides the cookie Secure flag from
`secure = bool(conf.get("api", "ssl_cert"))`. That drops the
`request.base_url.scheme == "https"` term the rest of the codebase uses for the
same decision, including `logout_callback` a few lines down, the core auth
manager login/logout, and the refresh-token middleware. When the api-server
sits behind a proxy that terminates TLS, `ssl_cert` is normally unset in
Airflow, so with the current check these auth cookies go out without Secure
even though the browser reached the server over HTTPS. A browser will then also
attach them to a plaintext http:// request to the same host, which puts the
session token within reach of a network or SSL-stripping attacker. I noticed it
while comparing the login and logout handlers in this file, since logout
already guards on the request scheme. This lines both login routes up with that
canonical form
so the cookies carry Secure behind a proxy, and nothing changes when Airflow
terminates TLS itself or serves plain HTTP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]