SameerMesiah97 commented on PR #63115: URL: https://github.com/apache/airflow/pull/63115#issuecomment-4034324797
> I quite agree I am not sure why we need it ? My 2 cents as a non-domain expert: The comment was applicable to the original implementation which was pulling the algorithm from an unverified header, which can be submitted by a malicious party. @henry3260 changed it so that the verification algorithm comes from the JWKS metadata instead, which (as evidenced by the #TODO comment) seemto be the direction this was eventually heading. This nullifies my original concern. I do agree it technically shifts a bit more trust to the JWKS metadata itself, but if the issuer/JWKS endpoint were compromised then the entire authentication layer is already broken anyway since an attacker could publish arbitrary keys. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
