jason810496 commented on code in PR #63604:
URL: https://github.com/apache/airflow/pull/63604#discussion_r3008674757
##########
airflow-core/src/airflow/api_fastapi/execution_api/datamodels/token.py:
##########
@@ -17,16 +17,33 @@
from __future__ import annotations
-from typing import Any
+from typing import Literal
from uuid import UUID
+from pydantic import ConfigDict
+
from airflow.api_fastapi.core_api.base import BaseModel
+TokenScope = Literal["execution", "workload"]
+
+
+class TIClaims(BaseModel):
+ """Validated JWT claims for a task identity token."""
+
+ model_config = ConfigDict(extra="allow")
+
+ sub: UUID
+ exp: int
+ iat: int
+ nbf: int
+ scope: TokenScope = "execution"
+ aud: str | list[str] | None = None
+ iss: str | None = None
Review Comment:
Would it be better to just have `scope` field for now? Since we only use
`scope` so far and the other additional fields will only be used at previous
stage (e.g. `exp`, `aud` will only be used at `JWTValidator` )
##########
airflow-core/src/airflow/api_fastapi/execution_api/versions/v2026_03_31.py:
##########
@@ -27,6 +27,15 @@
TIDeferredStatePayload,
TIRunContext,
)
+from airflow.api_fastapi.execution_api.datamodels.token import TIToken
+
+
+class ValidateTaskIdentityTokenClaims(VersionChange):
Review Comment:
Actually, this _could_ be a special case that we don't even need to add the
Execution API migration.
It seems the `TIClaims` only used internally, additionally, the
`task-sdk/src/airflow/sdk/api/datamodels/_generated.py` doesn't change at all.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
