Skip to content

[v3-1-test] fix: always include kid in JWT header for symmetric key tokens (#62883)#62943

Merged
eladkal merged 1 commit intov3-1-testfrom
backport-6b21ec0-v3-1-test
Mar 5, 2026
Merged

[v3-1-test] fix: always include kid in JWT header for symmetric key tokens (#62883)#62943
eladkal merged 1 commit intov3-1-testfrom
backport-6b21ec0-v3-1-test

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Mar 5, 2026

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:

  1. Always add 'kid' to the JWT header regardless of key type
  2. Check configured jwt_kid before falling back to 'not-used' for
    symmetric keys, so operators can set a meaningful kid
    (cherry picked from commit 6b21ec0)

Co-authored-by: Yoann 60654707+YoannAbriel@users.noreply.github.com
Closes: #62876

@YoannAbriel
[v3-1-test] fix: always include kid in JWT header for symmetric key t…
2d4674c 
…okens (#62883)

When using symmetric (secret_key) signing, the JWTGenerator did not
include the 'kid' field in the JWT header. However, JWTValidator always
requires 'kid' in the token header, causing all symmetric-key tokens
to be rejected with 'Missing kid in token header'.

This affected the KeycloakAuthManager (and any auth manager using
symmetric JWT signing), creating an infinite redirect loop after
successful login.

Two changes:
1. Always add 'kid' to the JWT header regardless of key type
2. Check configured jwt_kid before falling back to 'not-used' for
   symmetric keys, so operators can set a meaningful kid
(cherry picked from commit 6b21ec0)

Co-authored-by: Yoann <60654707+YoannAbriel@users.noreply.github.com>
Closes: #62876
@github-actions github-actions Bot mentioned this pull request Mar 5, 2026
Merged
1 task
@boring-cyborg boring-cyborg Bot added the area:API Airflow's REST/HTTP API label Mar 5, 2026
@vincbeck vincbeck marked this pull request as ready for review March 5, 2026 15:10
@vincbeck vincbeck self-requested a review as a code owner March 5, 2026 15:10
@vatsrahul1001 vatsrahul1001 added this to the Airflow 3.1.8 milestone Mar 5, 2026
@vatsrahul1001 vatsrahul1001 added the type:bug-fix Changelog: Bug Fixes label Mar 5, 2026
@eladkal eladkal merged commit d12f014 into v3-1-test Mar 5, 2026
81 of 82 checks passed
@eladkal eladkal deleted the backport-6b21ec0-v3-1-test branch March 5, 2026 16:08
@vatsrahul1001 vatsrahul1001 mentioned this pull request Mar 6, 2026
Closed
81 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eladkal eladkal eladkal approved these changes

@vincbeck vincbeck vincbeck approved these changes

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API type:bug-fix Changelog: Bug Fixes

Projects

None yet

Milestone

Airflow 3.1.8

Development

Successfully merging this pull request may close these issues.

4 participants

@eladkal @vincbeck @vatsrahul1001 @YoannAbriel