Re: [PR] fix(security): fix Guest Token API 422 error by disabling JWT sub claim verification [superset]

via GitHub Sun, 22 Feb 2026 21:22:47 -0800


codeant-ai-for-open-source[bot] commented on PR #38177:
URL: https://github.com/apache/superset/pull/38177#issuecomment-3942707475


   ## **Sequence Diagram**
   
   This PR adds JWT_VERIFY_SUB = False to the default config so PyJWT will not 
enforce that the 'sub' claim is a string. The diagram shows the main success 
path for generating guest and CSRF tokens where the backend delegates JWT work 
to PyJWT with the new config to avoid 422 errors.
   
   ```mermaid
   sequenceDiagram
       participant Client
       participant Superset Backend
       participant PyJWT
   
       Client->>Superset Backend: POST /api/v1/security/guest_token (or GET 
/csrf_token)
       Superset Backend->>Superset Backend: Build token claims (resources, 
subject, audience)
       Superset Backend->>PyJWT: Encode/decode JWT (JWT_VERIFY_SUB = False in 
config)
       PyJWT-->>Superset Backend: Return token / decoded claims
       Superset Backend-->>Client: 200 OK (guest_token or csrf_token)
   ```
   
   ---
   *Generated by [CodeAnt AI](https://codeant.ai)*
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] fix(security): fix Guest Token API 422 error by disabling JWT sub claim verification [superset]

Reply via email to