kaxil commented on code in PR #60108:
URL: https://github.com/apache/airflow/pull/60108#discussion_r2957016853
##########
task-sdk/src/airflow/sdk/api/client.py:
##########
@@ -939,7 +939,10 @@ def __init__(self, *, base_url: str | None, dry_run: bool
= False, token: str, *
)
def _update_auth(self, response: httpx.Response):
Review Comment:
Priority order is correct: `X-Execution-Token` wins over
`Refreshed-API-Token`.
One edge case to consider: the `JWTReissueMiddleware` will also try to
reissue the inbound workload token if it's near expiry (within 20% of
`jwt_expiration_time`). The reissued token inherits the `scope: "workload"`
claim but gets `jwt_expiration_time` (600s default) validity instead of the
original 24h. In practice this won't happen — a 24h workload token won't be
within 120s of expiry on a single `/run` call — but the middleware should
probably skip reissuing workload-scoped tokens to be safe against future
shorter-lived workload tokens.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
