Skip to content

[v3-1-test] fix: always include kid in JWT header for symmetric key tokens (#62883)#62943

Merged
eladkal merged 1 commit intov3-1-testfrom
backport-6b21ec0-v3-1-test
Mar 5, 2026
Merged

[v3-1-test] fix: always include kid in JWT header for symmetric key tokens (#62883)#62943
eladkal merged 1 commit intov3-1-testfrom
backport-6b21ec0-v3-1-test

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Mar 5, 2026

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:

  1. Always add 'kid' to the JWT header regardless of key type
  2. Check configured jwt_kid before falling back to 'not-used' for
    symmetric keys, so operators can set a meaningful kid
    (cherry picked from commit 6b21ec0)

Co-authored-by: Yoann 60654707+YoannAbriel@users.noreply.github.com
Closes: #62876

…okens (#62883)

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec0)

Co-authored-by: Yoann <60654707+YoannAbriel@users.noreply.github.com>
Closes: #62876
@boring-cyborg boring-cyborg Bot added the area:API Airflow's REST/HTTP API label Mar 5, 2026
@vincbeck vincbeck marked this pull request as ready for review March 5, 2026 15:10
@vincbeck vincbeck self-requested a review as a code owner March 5, 2026 15:10
@vatsrahul1001 vatsrahul1001 added this to the Airflow 3.1.8 milestone Mar 5, 2026
@vatsrahul1001 vatsrahul1001 added the type:bug-fix Changelog: Bug Fixes label Mar 5, 2026
@eladkal eladkal merged commit d12f014 into v3-1-test Mar 5, 2026
81 of 82 checks passed
@eladkal eladkal deleted the backport-6b21ec0-v3-1-test branch March 5, 2026 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:API Airflow's REST/HTTP API type:bug-fix Changelog: Bug Fixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants