This is an automated email from the ASF dual-hosted git repository.
vincbeck pushed a commit to branch v3-2-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v3-2-test by this push:
new c16d3c44f5d [v3-2-test] Raise InvalidJwtError in
JWTValidator.avalidated_claims when kid does not match. (#67909) (#67959)
c16d3c44f5d is described below
commit c16d3c44f5d464f508645f671bd37032a9a98048
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Jun 3 18:11:18 2026 -0400
[v3-2-test] Raise InvalidJwtError in JWTValidator.avalidated_claims when
kid does not match. (#67909) (#67959)
---
airflow-core/src/airflow/api_fastapi/auth/tokens.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
index 707d427101c..4ba1943c577 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/tokens.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/tokens.py
@@ -319,7 +319,10 @@ class JWTValidator:
self, unvalidated: str, required_claims: dict[str, Any] | None = None
) -> dict[str, Any]:
"""Decode the JWT token, returning the validated claims or raising an
exception."""
- key = await self._get_validation_key(unvalidated)
+ try:
+ key = await self._get_validation_key(unvalidated)
+ except KeyError:
+ raise jwt.InvalidTokenError("Kid did not match any validation
keys")
algorithms = self.algorithm
validation_key: str | jwt.PyJWK | Any = key
if algorithms == ["GUESS"] and isinstance(key, jwt.PyJWK):
