Samin061 opened a new pull request, #69948: URL: https://github.com/apache/airflow/pull/69948
`_decode_and_validate_azure_jwt` and `_validate_jwt` in the FAB security manager decode the OAuth id_token with authlib and call `claims.validate()` without passing `claims_options`, and authlib's `validate_aud` returns early when no `aud` option is supplied, so the audience is never checked against our own `client_id`. For azure the keyset comes from `MICROSOFT_KEY_SET_URL`, the `/common/` multi-tenant JWKS, so an id_token minted in any attacker-registered Azure AD tenant carries a signature that verifies, and `get_oauth_user_info` then takes `username` from `oid` and `role_keys` from the token's own `roles` claim, which the attacker controls in their own app registration; on the authentik path the issuer is pinned by the configured `jwks_uri`, but a token issued to any other client of the same instance is still accepted. Pin the expected audience to the configured `client_id` at both decode sites so a token that was not issued to this deployment is rejected. --- ##### Was generative AI tooling used to co-author this PR? <!-- If generative AI tooling has been used in the process of authoring this PR, please change below checkbox to `[X]` followed by the name of the tool, uncomment the "Generated-by". --> - [ ] Yes (please specify the tool below) <!-- Generated-by: [Tool Name] following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) --> --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
