(airflow) branch main updated: Document that the Google OpenID auth backend matches users by their (mutable) email (#68391)

Tue, 16 Jun 2026 22:06:02 -0700 

This is an automated email from the ASF dual-hosted git repository.

shahar1 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new f3037c173f6 Document that the Google OpenID auth backend matches users 
by their (mutable) email (#68391)
f3037c173f6 is described below

commit f3037c173f61ecc3fbcbe53b57131738760d8a38
Author: Jarek Potiuk <[email protected]>
AuthorDate: Wed Jun 17 01:05:46 2026 -0400

    Document that the Google OpenID auth backend matches users by their 
(mutable) email (#68391)
    
    Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
    
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
---
 providers/google/docs/api-auth-backend/google-openid.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/providers/google/docs/api-auth-backend/google-openid.rst 
b/providers/google/docs/api-auth-backend/google-openid.rst
index 2b183d9c283..de158861bd3 100644
--- a/providers/google/docs/api-auth-backend/google-openid.rst
+++ b/providers/google/docs/api-auth-backend/google-openid.rst
@@ -37,6 +37,22 @@ use by Airflow only.
     [api]
     google_oauth2_audience = project-id-random-value.apps.googleusercontent.com
 
+.. warning:: User identity is matched by email address
+
+    This backend authenticates a request by matching the **verified** ``email``
+    claim of the Google ID token against an existing Airflow user's email. 
Email
+    addresses are mutable and can be reassigned between Google identities (for
+    example when an employee leaves and the address is recycled to a new hire, 
or
+    via domain recycling). The immutable ``sub`` (subject) claim is not 
consulted,
+    so a Google identity that comes to hold a previously-used address could
+    authenticate as the Airflow user still mapped to it.
+
+    Treat the email-to-user mapping as part of your identity lifecycle:
+    **deprovision (or re-map) the Airflow user whenever its email is 
reassigned**,
+    and do not recycle an address to a different identity while an Airflow 
account
+    is still mapped to it. Restricting ``google_oauth2_audience`` to your own
+    deployment (above) keeps tokens minted for unrelated audiences out of 
scope.
+
 You can also configure the CLI to send request to a remote API instead of 
making a query to a local database.
 
 .. code-block:: ini

Reply via email to