This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new cdee4236a9e Encode id_token to avoid special characters in it. (#62429)
cdee4236a9e is described below
commit cdee4236a9e636e6740448c29ed7ef1461d76bd2
Author: Jarek Potiuk <[email protected]>
AuthorDate: Tue Feb 24 23:06:24 2026 +0100
Encode id_token to avoid special characters in it. (#62429)
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
---
.../src/airflow/providers/keycloak/auth_manager/routes/login.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
index 0fe97ec82f4..54c94002120 100644
---
a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
+++
b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py
@@ -20,6 +20,7 @@ from __future__ import annotations
import json
import logging
from typing import cast
+from urllib.parse import quote
from fastapi import Request # noqa: TC002
from fastapi.responses import HTMLResponse, RedirectResponse
@@ -112,7 +113,11 @@ def logout(request: Request):
post_logout_redirect_uri = request.url_for("logout_callback")
if id_token:
- logout_url =
f"{end_session_endpoint}?post_logout_redirect_uri={post_logout_redirect_uri}&id_token_hint={id_token}"
+ encoded_id_token = quote(id_token, safe="")
+ logout_url = (
+
f"{end_session_endpoint}?post_logout_redirect_uri={post_logout_redirect_uri}"
+ f"&id_token_hint={encoded_id_token}"
+ )
else:
logout_url = str(post_logout_redirect_uri)
