This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch rusackas/fix-jwt-verify-sub in repository https://gitbox.apache.org/repos/asf/superset.git
commit cdedf7e9b20175fe91df73758cbd18eb9ad2b6ea Author: Evan Rusackas <[email protected]> AuthorDate: Sun Feb 22 21:20:57 2026 -0800 fix(security): fix Guest Token API 422 error by disabling JWT sub claim verification PyJWT >= 2.10 enforces that the 'sub' claim must be a string, which breaks the /api/v1/security/guest_token and /api/v1/security/csrf_token endpoints when the subject is not a string. This adds JWT_VERIFY_SUB = False to the default config to disable this verification until the upstream issue is resolved. References: - https://github.com/jpadilla/pyjwt/issues/1017 - https://github.com/dpgaspar/Flask-AppBuilder/issues/2287 Closes #32241 Co-Authored-By: hainenber <[email protected]> Co-Authored-By: Claude Opus 4.5 <[email protected]> --- superset/config.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/superset/config.py b/superset/config.py index f220f9b7fcd..c4cae11114e 100644 --- a/superset/config.py +++ b/superset/config.py @@ -2445,6 +2445,12 @@ EXTRA_DYNAMIC_QUERY_FILTERS: ExtraDynamicQueryFilters = {} # connection via the UI (without downtime). CATALOGS_SIMPLIFIED_MIGRATION: bool = False +# Configure JWT subsystem to not enforce that the sub claim is a string +# Set this variable to avoid breaking `/api/security` endpoints +# TODO: remove this variable once pyjwt resolved the issue. +# https://github.com/jpadilla/pyjwt/issues/1017 +# https://github.com/dpgaspar/Flask-AppBuilder/issues/2287 +JWT_VERIFY_SUB: bool = False # When updating a DB connection or manually triggering a perm sync, the command # happens in sync mode. If you have a celery worker configured, it's recommended
