Skip to content

fix(execution-api): Refresh expired JWT tokens for active tasks #59553 #60197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
anishgirianish wants to merge 3 commits into from
Closed

fix(execution-api): Refresh expired JWT tokens for active tasks #59553 #60197

anishgirianish wants to merge 3 commits into from
+240 −25

Conversation

@anishgirianish
Copy link
Contributor

@anishgirianish anishgirianish commented Jan 7, 2026
edited
Loading

Summary

Alternative approach to #59553 - handles expired JWT tokens at the auth layer instead of extending token lifetime.

When a task worker's JWT expires while the task is still running, the worker currently fails with token expiry error. This PR allows expired tokens to be refreshed if the task is in QUEUED or RUNNING state.

Changes

deps.py - JWTBearer auth dependency

  • Catch ExpiredSignatureError and attempt token refresh
  • Validate signature, claims, and task state before refreshing
  • Store refreshed token in request.state for middleware

app.py - JWTReissueMiddleware

  • Check request.state.refreshed_token before proactive refresh
  • Return refreshed token via Refreshed-API-Token header

tokens.py

  • Make get_validation_key public (was _get_validation_key)

test_app.py

  • Add tests for expired token refresh (success + rejection)

Security

  • Only refreshes for QUEUED/RUNNING tasks (DB check)
  • Validates signature before refresh
  • Validates all claims same as normal flow

closes #59553
alternative to #60108

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@boring-cyborg boring-cyborg bot added the area:API Airflow's REST/HTTP API label Jan 7, 2026
@anishgirianish anishgirianish mentioned this pull request Jan 7, 2026
Open
@anishgirianish anishgirianish force-pushed the fix/token-expiry-middleware-approch branch from da27475 to 65b8c7b Compare January 7, 2026 06:33
@ashb
Copy link
Member

ashb commented Jan 7, 2026

Closing due to #60108 (review) -- this suffers the same problem, and this PR is is no different here.

@ashb ashb closed this Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck Awaiting requested review from vincbeck vincbeck is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AIRFLOW__SCHEDULER__TASK_QUEUED_TIMEOUT configuration ignored

2 participants

@anishgirianish @ashb