GayathriSrividya commented on code in PR #68054:
URL: https://github.com/apache/airflow/pull/68054#discussion_r3400957556
##########
airflow-core/src/airflow/api_fastapi/execution_api/app.py:
##########
@@ -135,25 +136,22 @@ async def dispatch(self, request: Request, call_next):
response: Response = await call_next(request)
refreshed_token: str | None = None
- auth_header = request.headers.get("authorization")
- if auth_header and auth_header.lower().startswith("bearer "):
- token = auth_header.split(" ", 1)[1]
+ token = request.scope.get(_REQUEST_SCOPE_TOKEN_KEY)
+ if token:
try:
- async with svcs.Container(request.app.state.svcs_registry) as
services:
- validator: JWTValidator = await services.aget(JWTValidator)
- claims = await validator.avalidated_claims(token, {})
-
- # Workload tokens are long-lived and meant to survive queue
- # wait times so avoid refreshing them. If avalidated_claims
- # raises for a workload token, the outer except handles it.
- if claims.get("scope") == "workload":
- return response
-
- now = int(time.time())
- token_lifetime = int(claims.get("exp", 0)) -
int(claims.get("iat", 0))
- refresh_when_less_than = max(int(token_lifetime * 0.20),
30)
- valid_left = int(claims.get("exp", 0)) - now
- if valid_left <= refresh_when_less_than:
+ claims = {"sub": str(token.id), **token.claims.model_dump()}
Review Comment:
sub is the identity anchor for these Execution API tokens, not just extra
metadata. In our auth path, sub becomes
[token.id](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html),
and that value is later enforced by the ownership checks
([ti:self](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html)
/
[connection:self](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html))
against the request path params. So even if this specific middleware block
does not read sub directly after building the claims dict, the refreshed token
still needs it so the next request can pass subject-matching authorization. If
we omit sub on refresh, we risk issuing a cryptographically valid token that
then fails authorization with 403 on the
following call due to identity mismatch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
