Leondon9 opened a new issue, #67142:
URL: https://github.com/apache/airflow/issues/67142
### What happened?
`JWTBearer.__call__` in the Execution API logs the raw bearer token when JWT
validation fails:
```python
log.warning("Failed to validate JWT", exc_info=True, token=creds.credentials)
```
`creds.credentials` is the raw value from the `Authorization: Bearer
<token>` header. Airflow's structlog rendering includes structured fields in
both text and JSON output, so this field is rendered into logs when that
failure path is hit.
Example rendering using Airflow's logging configuration with a sentinel
token:
```text
Failed to validate JWT ... token=sentinel.execution-api.jwt.token
```
```json
{"event":"Failed to validate
JWT","token":"sentinel.execution-api.jwt.token",...}
```
### Why this matters
Bearer tokens are credential material even when short-lived. A validation
failure is not necessarily an expired or harmless token; it may also happen for
audience, issuer, claim, clock skew, key rotation, or configuration mismatches.
Logs may be persisted, collected, or forwarded to systems with broader access
than the request path.
### Expected behavior
JWT validation failures should keep enough context to debug the failure, but
should not include the raw bearer token in structured logs.
### Notes
This is not a report of a confirmed production leak. It is a reproducible
logging behavior in the current code path.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
