pierrejeambrun commented on issue #47559: URL: https://github.com/apache/airflow/issues/47559#issuecomment-2714035283
Not really. JWT simplicity is an advantage but also its weakness. By default there is no mechanism to invalidate tokens. That’s up to us to implement additional logic. (Persist invalidated tokens in a table, do a lookup there on auth, maybe clean that lookup table for expired token etc…) A stolen token, or even after logout, the token will keep being valid until its expiry date. Therefore it’s up to the deployment manager to configure this to a reasonable timedelta. (1 day, 1 hour) On the other hand, the FabAuthManager uses a session alongside the token (for legacy reason), and this session will be invalidated. (Not the token) I think this would be nice to have; but I’m not sure this is required for airflow 3. (I could be wrong) cc: @ash @jedcunningham -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
