Fix JWT token generation with unset issuer/audience config#61278
Merged
potiuk merged 2 commits intoapache:mainfrom Jan 31, 2026
Merged
Fix JWT token generation with unset issuer/audience config#61278potiuk merged 2 commits intoapache:mainfrom
potiuk merged 2 commits intoapache:mainfrom
Conversation
2 tasks
eladkal
approved these changes
Jan 31, 2026
Contributor
|
The mypy error could be due to jpadilla/pyjwt@29fbfc3 where jpadilla/pyjwt@29fbfc3#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380L30 jpadilla/pyjwt@29fbfc3#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380L204 |
Contributor
Author
|
Yep its likely that. I tried to resolve it |
Contributor
Author
|
@tirkarthi do you wanna take another look now? Mypy is fixed. |
1 task
shahar1
approved these changes
Jan 31, 2026
tirkarthi
approved these changes
Jan 31, 2026
Contributor
tirkarthi
left a comment
tirkarthi
left a comment
There was a problem hiding this comment.
LGTM. Thanks @amoghrajesh .
potiuk
approved these changes
Jan 31, 2026
Contributor
|
Nice, thanks @amoghrajesh! |
Contributor
|
This needs a backport, seeing the similar issue. Will create in a moment |
bugraoz93
pushed a commit
to bugraoz93/airflow
that referenced
this pull request
Feb 1, 2026
apache#61278) * Fix JWT token generation with unset issuer/audience config * Fix JWT token generation with unset issuer/audience config (cherry picked from commit a440d1d) Co-authored-by: Amogh Desai <[email protected]>
1 task
bugraoz93
added a commit
that referenced
this pull request
Feb 1, 2026
#61278) (#61331) * Fix JWT token generation with unset issuer/audience config (cherry picked from commit a440d1d) Co-authored-by: Amogh Desai <[email protected]>
ephraimbuddy
pushed a commit
that referenced
this pull request
Feb 3, 2026
#61278) (#61331) * Fix JWT token generation with unset issuer/audience config (cherry picked from commit a440d1d) Co-authored-by: Amogh Desai <[email protected]>
Contributor
|
cc @ephraimbuddy given rc2 we need to change milestone on this PR to 3.1.7 right? |
Contributor
I have done so on the backport: #61331 |
1 task
potiuk
pushed a commit
that referenced
this pull request
Feb 3, 2026
* [v3-1-test] Add Keycloak token documentation to Security/API (#61228) (#61248) (cherry picked from commit bb04b5d) Co-authored-by: Bugra Ozturk <[email protected]> * [v3-1-test] Fix language selector state not updating on change (#61060) (#61263) (cherry picked from commit 975cfe6) * [v3-1-test] Clarify template context for asset-triggered DAGs in airflow-core docs (#61258) (#61282) (cherry picked from commit f7aa502) Co-authored-by: Rachana Dutta <[email protected]> Co-authored-by: kevinhongzl <[email protected]> * [v3-1-test] Fix flaky OTel integration test with DNS health check (#61070) (#61242) (#61286) * Fix flaky OTel integration test with DNS health check (#61070) * Update airflow-core/tests/integration/otel/test_otel.py --------- (cherry picked from commit 8ac25dd) Co-authored-by: Abhishek Mishra <[email protected]> Co-authored-by: Henry Chen <[email protected]> * [v3-1-test] Update pmc verification docs (#61271) (#61294) * Update Helm Chart release instructions for PMC Checks * Update KEY download instructions for PMC Checks * Update dev/README_RELEASE_HELM_CHART.md (cherry picked from commit c74b24a) * [v3-1-test] update version for release command (#61260) (#61328) (cherry picked from commit 7790482) Co-authored-by: Rahul Vats <[email protected]> * CI: Upgrade important CI environment (#61327) * [v3-1-test] Fix JWT token generation with unset issuer/audience config (#61278) (#61331) * Fix JWT token generation with unset issuer/audience config (cherry picked from commit a440d1d) Co-authored-by: Amogh Desai <[email protected]> * [v3-1-test] Remove empty `apache_airflow_site.py` file (#61308) (cherry picked from commit d65ff01) Co-authored-by: Jed Cunningham <[email protected]> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Bugra Ozturk <[email protected]> Co-authored-by: Guan-Ming (Wesley) Chiu <[email protected]> Co-authored-by: Shahar Epstein <[email protected]> Co-authored-by: Rachana Dutta <[email protected]> Co-authored-by: kevinhongzl <[email protected]> Co-authored-by: Abhishek Mishra <[email protected]> Co-authored-by: Henry Chen <[email protected]> Co-authored-by: Rahul Vats <[email protected]> Co-authored-by: Amogh Desai <[email protected]> Co-authored-by: Jed Cunningham <[email protected]>
jason810496
pushed a commit
to abhijeets25012-tech/airflow
that referenced
this pull request
Feb 3, 2026
jhgoebbert
pushed a commit
to jhgoebbert/airflow_Owen-CH-Leung
that referenced
this pull request
Feb 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Was generative AI tooling used to co-author this PR?
PyJWT released 2.11.0 https://pyjwt.readthedocs.io/en/stable/changelog.html#v2-11-0 which adds stricter validation for JWT claims.
The change: jpadilla/pyjwt#1039 and jpadilla/pyjwt#1040 ensures that the
issandaudclaims must me StringOrURI as per RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1An example of earlier behaviour with 2.10.1 pyjwt
With 2.11.0 pyjwt:
Now, airflow's config parser returned
[]for unset configs whenfirst_onlywas set. This is now rejected by PyJWT as invalid claims.The fix is to return
Nonefor unset configs when single string is expected and for list values empty list is still valid -- this needs to be handled in the_conf_list_factoryas well as theJWTGeneratorto handle falsy values.{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.