Skip to content

Secure AWS auth cookies behind TLS proxies#69898

Merged
pierrejeambrun merged 2 commits into
apache:mainfrom
shaealh:shaealh/airflow_47878_airflow_login_callback
Jul 15, 2026
Merged

Secure AWS auth cookies behind TLS proxies#69898
pierrejeambrun merged 2 commits into
apache:mainfrom
shaealh:shaealh/airflow_47878_airflow_login_callback

Conversation

@shaealh

@shaealh shaealh commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

The AWS auth manager determined the JWT cookie's Secure flag only from
api.ssl_cert. Deployments terminating TLS at a reverse proxy normally leave
that setting empty, causing the login callback to emit a non-Secure session
cookie even when the request scheme is HTTPS.

This applies the proxy-aware scheme-or-certificate check already used by the
core, FAB, and Keycloak auth managers. It also adds regression coverage for an
HTTPS request without a locally configured certificate.

related: #47878

Validation

  • Ruff formatting and lint checks passed.
  • Provider tests are delegated to GitHub Actions because no Docker runtime is available locally.

Was generative AI tooling used to co-author this PR?
  • Yes — Codex (GPT-5)

TLS is commonly terminated upstream, leaving api.ssl_cert empty even though browsers reach Airflow over HTTPS.
@boring-cyborg boring-cyborg Bot added area:providers provider:amazon AWS/Amazon - related issues labels Jul 15, 2026
@shaealh shaealh marked this pull request as ready for review July 15, 2026 03:30
@shaealh shaealh requested a review from o-nikolas as a code owner July 15, 2026 03:30
@shaealh

shaealh commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Could a maintainer please rerun the failed Static checks job? It failed in the unrelated FAB migration-reference hook, while the Amazon provider checks passed.

@pierrejeambrun

Copy link
Copy Markdown
Member

Could a maintainer please rerun the failed Static checks job? It failed in the unrelated FAB migration-reference hook, while the Amazon provider checks passed.

Done

@pierrejeambrun pierrejeambrun left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@pierrejeambrun pierrejeambrun merged commit a7cc0f9 into apache:main Jul 15, 2026
83 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:providers provider:amazon AWS/Amazon - related issues

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants