Skip to content

fix: always include kid in JWT header for symmetric key tokens#62883

Merged
eladkal merged 1 commit intoapache:mainfrom
YoannAbriel:fix/issue-62876
Mar 5, 2026
Merged

fix: always include kid in JWT header for symmetric key tokens#62883
eladkal merged 1 commit intoapache:mainfrom
YoannAbriel:fix/issue-62876

Conversation

@YoannAbriel
Copy link
Copy Markdown
Contributor

@YoannAbriel YoannAbriel commented Mar 4, 2026

Problem

When using KeycloakAuthManager (or any auth manager) with symmetric JWT signing (HS256 + secret key), the authentication flow enters an infinite redirect loop. After successful login, the internal session JWT is rejected by the FastAPI JWTValidator with: Missing 'kid' in token header.

Root Cause

JWTGenerator.generate() only added the kid field to the JWT header when using asymmetric (private key) signing. Symmetric (secret key) tokens never got kid in the header. However, JWTValidator._get_kid_from_header() unconditionally requires kid in the token header, causing all symmetric-key tokens to fail validation.

Additionally, _generate_kid() returned "not-used" immediately for symmetric keys without checking the api_auth.jwt_kid configuration, so operators couldn't set a meaningful kid for their symmetric setup.

Fix

Two changes in airflow-core/src/airflow/api_fastapi/auth/tokens.py:

  1. Always include kid in the JWT header — removed the if self._private_key: guard so headers["kid"] = self.kid runs for both symmetric and asymmetric keys.
  2. Check configured jwt_kid before falling back — reordered _generate_kid() to check the api_auth.jwt_kid config option first, before returning the "not-used" fallback for symmetric keys. This lets operators configure a custom kid regardless of key type.

Added two unit tests: one verifying symmetric tokens include kid in the header, another verifying the configured jwt_kid is respected for symmetric keys.

Closes: #62876

Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code

Generated-by: Claude Code following the guidelines

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@YoannAbriel YoannAbriel requested a review from vincbeck as a code owner March 4, 2026 17:06
@boring-cyborg boring-cyborg Bot added the area:API Airflow's REST/HTTP API label Mar 4, 2026
@slloyd09 slloyd09 mentioned this pull request Mar 5, 2026
Closed
2 tasks
@eladkal eladkal added this to the Airflow 3.1.9 milestone Mar 5, 2026
@eladkal eladkal added the type:bug-fix Changelog: Bug Fixes label Mar 5, 2026
@YoannAbriel
fix: always include kid in JWT header for symmetric key tokens
fdf6655 
When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid

Closes: apache#62876
@eladkal eladkal merged commit 6b21ec0 into apache:main Mar 5, 2026
36 checks passed
github-actions Bot pushed a commit that referenced this pull request Mar 5, 2026
@YoannAbriel
[v3-1-test] fix: always include kid in JWT header for symmetric key t…
2d4674c 
…okens (#62883)

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec0)

Co-authored-by: Yoann <60654707+YoannAbriel@users.noreply.github.com>
Closes: #62876
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 5, 2026

Backport successfully created: v3-1-test

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status Branch Result
v3-1-test PR Link

@YoannAbriel YoannAbriel deleted the fix/issue-62876 branch March 5, 2026 15:30
eladkal pushed a commit that referenced this pull request Mar 5, 2026
@github-actions @YoannAbriel
[v3-1-test] fix: always include kid in JWT header for symmetric key t…
d12f014 
…okens (#62883) (#62943)

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec0)


Closes: #62876

Co-authored-by: Yoann <60654707+YoannAbriel@users.noreply.github.com>
dominikhei pushed a commit to dominikhei/airflow that referenced this pull request Mar 11, 2026
@YoannAbriel @dominikhei
fix: always include kid in JWT header for symmetric key tokens (apach…
361c9bd 
…e#62883)

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid

Closes: apache#62876
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck approved these changes

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API type:bug-fix Changelog: Bug Fixes

Projects

None yet

Milestone

Airflow 3.1.8

Development

Successfully merging this pull request may close these issues.

[Airflow 3] Keycloak Auth Manager: 401 Redirect Loop due to Missing 'kid' in Internal JWT Header

4 participants

@YoannAbriel @vincbeck @vatsrahul1001 @eladkal