pierrejeambrun opened a new pull request, #67289: URL: https://github.com/apache/airflow/pull/67289
The `/auth/logout` endpoint previously short-circuited via early return when an auth manager's `get_url_logout()` returned a URL, and `auth_manager.revoke_token(token_str)` was never called. The JWT therefore remained valid after logout for auth managers like `FabAuthManager` and `KeycloakAuthManager` that redirect to an external logout URL. Move the `revoke_token` call before the early return so logout reliably invalidates the JWT token regardless of which auth manager is configured. Both branches are covered by tests: - `test_logout_revokes_token` — `get_url_logout()` returns `None` (existing test). - `test_logout_revokes_token_when_logout_url_redirects` — `get_url_logout()` returns a URL (new test). --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
