feat: add JWT authorization

* Add support for JWT via Authlib and JWK

Author: tomondre

reana_server/decorators.py

@@ -20,10 +20,11 @@
     _get_user_from_invenio_user,
     get_user_from_token,
     get_quota_excess_message,
+    _get_user_from_jwt,
 )
 
 
-def signin_required(include_gitlab_login=False, token_required=True):
+def signin_required(include_gitlab_login=False, token_required=True, include_jwt=False):
     """Check if the user is signed in or the access token is valid and return the user."""
 
     def decorator(func):
@@ -37,6 +38,9 @@ def wrapper(*args, **kwargs):
                     user = get_user_from_token(request.headers["X-Gitlab-Token"])
                 elif "access_token" in request.args:
                     user = get_user_from_token(request.args.get("access_token"))
+                elif include_jwt and request.headers["Authorization"]:
+                    user = _get_user_from_jwt(request.headers["Authorization"])
+
                 if not user:
                     return jsonify(message="User not signed in"), 401
                 if token_required and not user.active_token:

reana_server/utils.py

@@ -17,6 +17,8 @@
 import secrets
 import sys
 import shutil
+from authlib.jose import jwt, JoseError
+from authlib.jose.rfc7517.jwk import JsonWebKey
 from typing import Any, Dict, List, Optional, Union, Generator
 from uuid import UUID, uuid4
 
@@ -433,6 +435,13 @@ def _get_user_from_invenio_user(id):
     return user
 
 
+def _get_user_by_idpid(idp_id):
+    user = Session.query(User).filter_by(idp_id=idp_id).one_or_none()
+    if not user:
+        raise ValueError("No users registered with this id")
+    return user
+
+
 def _get_reana_yaml_from_gitlab(webhook_data, user_id):
     reana_yaml = "reana.yaml"
     if webhook_data["object_kind"] == "push":
@@ -658,3 +667,61 @@ def render_template(template_path, **kwargs):
         """Render template replacing kwargs appropriately."""
         template = JinjaEnv._get().get_template(template_path)
         return template.render(**kwargs)
+
+
+def fetch_and_parse_jwk():
+    """Fetch and return specific JWK from an identity provider.
+
+    Returns:
+        dict: JWK matching the kid
+
+    Raises:
+        ValueError: If JWK fetch fails or no matching key found
+    """
+    if not hasattr(fetch_and_parse_jwk, "_cache"):
+        fetch_and_parse_jwk._cache = None
+
+    if not fetch_and_parse_jwk._cache:
+        response = requests.get("https://iam-escape.cloud.cnaf.infn.it/jwk")
+        if response.status_code != 200:
+            raise ValueError(f"Failed to fetch JWK: {response.status_code}")
+        fetch_and_parse_jwk._cache = response.json()
+    jwks = fetch_and_parse_jwk._cache.get("keys", [])
+    if not jwks:
+        raise ValueError("No JWKs found in the response")
+    return jwks
+
+
+def _get_user_from_jwt(header: str) -> User:
+    """Get user from JWT token.
+
+    Args:
+        header: JWT Authorization header in the format "Bearer <token>"
+
+    Returns:
+        User: REANA user if token is valid
+
+    Raises:
+        ValueError: If token is invalid or user not found
+    """
+    try:
+        if not header.startswith("Bearer "):
+            raise ValueError("Invalid authorization header format")
+
+        token = header.split(" ")[1]
+
+        jwks = fetch_and_parse_jwk()
+        key_set = JsonWebKey.import_key_set(jwks)
+
+        claims = jwt.decode(token, key_set)
+        claims.validate()
+
+        idp_id = claims.get("sub")
+        if not idp_id:
+            raise ValueError("Token missing subject claim")
+
+        return _get_user_by_idpid(idp_id)
+    except JoseError as e:
+        raise ValueError(f"Invalid token: {str(e)}")
+    except Exception as e:
+        raise ValueError(f"Error processing token: {str(e)}")

requirements.txt

@@ -13,6 +13,7 @@ argparse-dataclass==2.0.0  # via snakemake-interface-common, snakemake-interface
 arrow==1.3.0              # via isoduration
 asttokens==3.0.0          # via stack-data
 attrs==25.1.0             # via jsonschema
+authlib==1.6.0            # via reana-server (setup.py)
 babel==2.17.0             # via flask-babel, invenio-i18n
 bagit==1.8.1              # via cwltool
 billiard==4.2.1           # via celery
@@ -37,7 +38,7 @@ commonmark==0.9.1         # via rich
 conda-inject==1.3.2       # via snakemake
 configargparse==1.7       # via snakemake, snakemake-interface-common
 connection-pool==0.0.3    # via snakemake
-cryptography==44.0.0      # via invenio-accounts, pyjwt, sqlalchemy-utils
+cryptography==44.0.0      # via authlib, invenio-accounts, pyjwt, sqlalchemy-utils
 cwltool==3.1.20210628163208  # via reana-commons
 datrie==0.8.2             # via snakemake
 decorator==5.1.1          # via ipython, jsonpath-rw
@@ -166,7 +167,7 @@ pytz==2024.1              # via bravado-core, flask-babel, invenio-i18n
 pywebpack==2.1.0          # via flask-webpackext
 pyyaml==6.0.2             # via bravado, bravado-core, conda-inject, kubernetes, packtivity, reana-commons, snakemake, swagger-spec-validator, yadage, yadage-schemas, yte
 rdflib==5.0.0             # via cwltool, prov, schema-salad
-reana-commons[cwl,kubernetes,snakemake,yadage]==0.95.0a7  # via reana-db, reana-server (setup.py)
+reana-commons[cwl,kubernetes,snakemake,yadage]==0.95.0a9  # via reana-db, reana-server (setup.py)
 reana-db==0.95.0a5        # via reana-server (setup.py)
 redis==5.2.1              # via invenio-celery
 requests[security]==2.32.3  # via bravado, bravado-core, cachecontrol, cwltool, github3-py, kubernetes, packtivity, reana-server (setup.py), requests-oauthlib, schema-salad, snakemake, yadage, yadage-schemas

setup.py

@@ -82,6 +82,8 @@
     "invenio-theme>=1.4.7",
     "invenio-i18n>=1.3.3",
     "invenio-access>=2.0.0",
+    # JWT Auth support
+    "authlib>=1.6.0",
     # Invenio database
     "invenio-db[postgresql]>=1.0.5",
     "six>=1.12.0",  # required by Flask-Breadcrumbs