This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 95adec475f9 Add hints for claim validation to auth manager
documentation (#59320)
95adec475f9 is described below
commit 95adec475f98a2d3293d962ab0db319cb108fa67
Author: Daniel Wolf <[email protected]>
AuthorDate: Thu Dec 11 17:51:43 2025 +0100
Add hints for claim validation to auth manager documentation (#59320)
---
providers/fab/docs/auth-manager/token.rst | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/providers/fab/docs/auth-manager/token.rst
b/providers/fab/docs/auth-manager/token.rst
index 6132cb25ccb..c669bd5b33f 100644
--- a/providers/fab/docs/auth-manager/token.rst
+++ b/providers/fab/docs/auth-manager/token.rst
@@ -85,6 +85,13 @@ This custom logic overrides the default ``create_token``
method from the FAB aut
.. warning::
The example shown below disables signature verification
(``verify_signature=False``).
This is **insecure** and should only be used for testing. Always validate
tokens properly in production.
+ Furthermore you need to make sure that the claims of the JWT are valid.
+ Critical claims that you must verify are for example (but not limited to):
+ - ``iss`` (issuer)
+ - ``aud`` (audience)
+ - ``nbf`` (not before time)
+ - ``exp`` (expiration time)
+ Refer to the documentation of your identity provider for more information.
.. code-block:: python
@@ -114,7 +121,8 @@ This custom logic overrides the default ``create_token``
method from the FAB aut
# token,
# public_key,
# algorithms=['HS256', 'RS256'],
- # audience=CLIENT_ID
+ # audience=CLIENT_ID,
+ # issuer=ISSUER_URL,
# )
#
# Without signature validation (not recommended):
