bugraoz93 commented on issue #59277: URL: https://github.com/apache/airflow/issues/59277#issuecomment-3638139297
> I am not sure about this, but i think that since airflow has its own /auth/token endpoint, a request made with a valid Airflow token should be treated as valid regardless of the access_token expiration. Basically my idea was that an API (or UI) user should not care about what authentication manager is used. I think this could be a problem and possibly blocking a security mitigation. Normally, a token or a session should be able to invalidated/blocked which in this case admins should be able to invaltidate a session or a token when it is leaked. If you have a token working for Airflow which is leaked, you can never invalidate unless it is expired from Keycloak. Even if we have the auth flow, if you are using an 3rd party tooling, I think we should leave the management to the tool. Otherwise it could be unmanagable and can open backdoors -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
