potiuk opened a new pull request, #67494: URL: https://github.com/apache/airflow/pull/67494
The JWT signer in `BaseAuthManager._get_token_signer()` reads `jwt_audience` from the `[api]` section while the validator in `_get_token_validator()` reads from `[api_auth]` — the documented option (only `[api_auth] jwt_audience` is declared in `config.yml`; `[api] jwt_audience` is not documented anywhere). Both defaults are `apache-airflow` so out-of-box behaviour is correct, but a deployment that sets a custom audience under the documented `[api_auth]` section would have its tokens signed with the default `apache-airflow` while the validator looks for the configured audience, silently rejecting every token. Reported as F-005 in the [`apache/tooling-agents` L3 ASVS sweep `0920c77`](https://github.com/apache/tooling-agents/issues/23). ## Change Switch the signer to read `[api_auth] jwt_audience` (the documented section). The undocumented `[api] jwt_audience` setting was never part of the schema, so removing it does not constitute a backwards-incompatible change for any documented configuration. ## Test plan - [x] Added `test_token_signer_reads_audience_from_api_auth_section` asserting the signer's `audience` kwarg matches a `conf_vars` override on `[api_auth] jwt_audience`. - [x] `prek run ruff` clean. - [x] `prek run mypy-airflow-core` clean. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
