henry3260 commented on PR #63115: URL: https://github.com/apache/airflow/pull/63115#issuecomment-4035943396
> @henry3260 - can you please explain why you want to add guess and want to decrease the strength of RSA here? It awfully looks like deliberatee effort to decrease security here - and I think there should be really good justification for that one. `GUESS + JWKS`: The previous code raised an errors at construction time because JWKS keys aren't available yet. Now we defer the algorithm resolution to validation time, reading algorithm_name from the already-fetched `jwt,Pyjwk` object. If the JWK has no declared algorithm, we still raise `InvalidTokenError`, so we are not accepting all arbitrary algorithms; we're trusting the algorithm the key itself declares. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
