feat: add JWT authorization

* Add support for JWT token-based authentication
* Implement JWK fetching and caching mechanism from identity provider
* Add JWT validation using Authlib
* Modify signin_required decorator to handle JWT bearer tokens
* Use user idp_id to map idp user ids to reana user ids
* Add test cases for decorator with request context

This change allows users to authenticate with JWT tokens issued by an external identity provider, with token validation performed against the provider's JWK set.

Author: tomondre

reana_server/decorators.py

@@ -20,10 +20,11 @@
     _get_user_from_invenio_user,
     get_user_from_token,
     get_quota_excess_message,
+    _get_user_from_jwt,
 )
 
 
-def signin_required(include_gitlab_login=False, token_required=True):
+def signin_required(include_gitlab_login=False, token_required=True, include_jwt=False):
     """Check if the user is signed in or the access token is valid and return the user."""
 
     def decorator(func):
@@ -37,6 +38,9 @@ def wrapper(*args, **kwargs):
                     user = get_user_from_token(request.headers["X-Gitlab-Token"])
                 elif "access_token" in request.args:
                     user = get_user_from_token(request.args.get("access_token"))
+                elif include_jwt and request.headers['Authorization']:
+                    user = _get_user_from_jwt(request.headers['Authorization'])
+
                 if not user:
                     return jsonify(message="User not signed in"), 401
                 if token_required and not user.active_token:

reana_server/utils.py

@@ -17,6 +17,8 @@
 import secrets
 import sys
 import shutil
+from authlib.jose import jwt, JoseError
+from authlib.jose.rfc7517.jwk import JsonWebKey
 from typing import Any, Dict, List, Optional, Union, Generator
 from uuid import UUID, uuid4
 
@@ -432,6 +434,11 @@ def _get_user_from_invenio_user(id):
         raise ValueError("User access token revoked.")
     return user
 
+def _get_user_by_idpid(idp_id):
+    user = Session.query(User).filter_by(idp_id=idp_id).one_or_none()
+    if not user:
+        raise ValueError("No users registered with this id")
+    return user
 
 def _get_reana_yaml_from_gitlab(webhook_data, user_id):
     reana_yaml = "reana.yaml"
@@ -658,3 +665,65 @@ def render_template(template_path, **kwargs):
         """Render template replacing kwargs appropriately."""
         template = JinjaEnv._get().get_template(template_path)
         return template.render(**kwargs)
+
+
+def fetch_and_parse_jwk():
+    """Fetch and return specific JWK from an identity provider.
+
+    Returns:
+        dict: JWK matching the kid
+
+    Raises:
+        ValueError: If JWK fetch fails or no matching key found
+    """
+    if not hasattr(fetch_and_parse_jwk, '_cache'):
+        fetch_and_parse_jwk._cache = None
+
+    if not fetch_and_parse_jwk._cache:
+        response = requests.get("https://iam-escape.cloud.cnaf.infn.it/jwk")
+        if response.status_code != 200:
+            raise ValueError(f"Failed to fetch JWK: {response.status_code}")
+        fetch_and_parse_jwk._cache = response.json()
+    jwks = fetch_and_parse_jwk._cache.get("keys", [])
+    if not jwks:
+        raise ValueError("No JWKs found in the response")
+    return jwks
+
+
+
+def _get_user_from_jwt(header: str) -> User:
+    """Get user from JWT token.
+
+    Args:
+        header: JWT Authorization header in the format "Bearer <token>"
+
+    Returns:
+        User: REANA user if token is valid
+
+    Raises:
+        ValueError: If token is invalid or user not found
+    """
+    from authlib.jose import jwt, JoseError
+    from authlib.jose.rfc7517.jwk import JsonWebKey
+
+    try:
+        if not header.startswith('Bearer '):
+            raise ValueError("Invalid authorization header format")
+
+        token = header.split(" ")[1]
+
+        jwks = fetch_and_parse_jwk()
+        key_set = JsonWebKey.import_key_set(jwks)
+
+        claims = jwt.decode(token, key_set)
+        claims.validate()
+
+        idp_id = claims.get('sub')
+        if not idp_id:
+            raise ValueError("Token missing subject claim")
+
+        return _get_user_by_idpid(idp_id)
+    except JoseError as e:
+        raise ValueError(f"Invalid token: {str(e)}")
+    except Exception as e:
+        raise ValueError(f"Error processing token: {str(e)}")

requirements.txt

@@ -13,6 +13,7 @@ argparse-dataclass==2.0.0  # via snakemake-interface-common, snakemake-interface
 arrow==1.3.0              # via isoduration
 asttokens==3.0.0          # via stack-data
 attrs==25.1.0             # via jsonschema
+authlib==1.6.0            # via reana-server (setup.py)
 babel==2.17.0             # via flask-babel, invenio-i18n
 bagit==1.8.1              # via cwltool
 billiard==4.2.1           # via celery
@@ -37,7 +38,7 @@ commonmark==0.9.1         # via rich
 conda-inject==1.3.2       # via snakemake
 configargparse==1.7       # via snakemake, snakemake-interface-common
 connection-pool==0.0.3    # via snakemake
-cryptography==44.0.0      # via invenio-accounts, pyjwt, sqlalchemy-utils
+cryptography==44.0.0      # via authlib, invenio-accounts, pyjwt, sqlalchemy-utils
 cwltool==3.1.20210628163208  # via reana-commons
 datrie==0.8.2             # via snakemake
 decorator==5.1.1          # via ipython, jsonpath-rw
@@ -166,7 +167,7 @@ pytz==2024.1              # via bravado-core, flask-babel, invenio-i18n
 pywebpack==2.1.0          # via flask-webpackext
 pyyaml==6.0.2             # via bravado, bravado-core, conda-inject, kubernetes, packtivity, reana-commons, snakemake, swagger-spec-validator, yadage, yadage-schemas, yte
 rdflib==5.0.0             # via cwltool, prov, schema-salad
-reana-commons[cwl,kubernetes,snakemake,yadage]==0.95.0a7  # via reana-db, reana-server (setup.py)
+reana-commons[cwl,kubernetes,snakemake,yadage]==0.95.0a9  # via reana-db, reana-server (setup.py)
 reana-db==0.95.0a5        # via reana-server (setup.py)
 redis==5.2.1              # via invenio-celery
 requests[security]==2.32.3  # via bravado, bravado-core, cachecontrol, cwltool, github3-py, kubernetes, packtivity, reana-server (setup.py), requests-oauthlib, schema-salad, snakemake, yadage, yadage-schemas

setup.py

@@ -82,6 +82,8 @@
     "invenio-theme>=1.4.7",
     "invenio-i18n>=1.3.3",
     "invenio-access>=2.0.0",
+    # JWT Auth support
+    "authlib>=1.6.0",
     # Invenio database
     "invenio-db[postgresql]>=1.0.5",
     "six>=1.12.0",  # required by Flask-Breadcrumbs

tests/test_decorators.py

@@ -8,7 +8,7 @@
 """REANA-Server decorators tests."""
 
 import json
-from unittest.mock import Mock, patch
+from unittest.mock import Mock, patch, MagicMock
 
 from flask import jsonify
 from reana_db.models import User, UserToken
@@ -31,3 +31,51 @@ def test_signing_required_with_token(user0: User):
         mock_endpoint.assert_not_called()
         assert code == 401
         assert error["message"] == "User has no active tokens"
+
+def test_signin_required_with_jwt(user0: User):
+    """Test `signin_required` with JWT token authentication."""
+    mock_endpoint = Mock(return_value=(jsonify(message="Success"), 200))
+    mock_current_user = Mock()
+    mock_current_user.is_authenticated = False
+    mock_current_user.email = user0.email
+
+    mock_request = Mock()
+    mock_request.headers = {"Authorization": "Bearer token123"}
+    mock_request.args = {}
+    mock_request_context = MagicMock()
+    mock_request_context.__enter__.return_value = mock_request
+
+    with patch("reana_server.decorators._get_user_from_jwt", mock_current_user):
+        with patch("reana_server.decorators.current_user", mock_current_user):
+            with patch("reana_server.decorators.request", mock_request):
+                decorated_endpoint = signin_required(include_jwt=True)(mock_endpoint)
+                response, code = decorated_endpoint()
+
+                # Should call the endpoint since authentication succeeded
+                mock_endpoint.assert_called_once()
+                assert code == 200
+                assert json.loads(response.get_data(as_text=True))["message"] == "Success"
+
+def test_signin_required_with_invalid_jwt(user0: User):
+    """Test `signin_required` with invalid JWT token."""
+    mock_endpoint = Mock(return_value=(jsonify(message="Success"), 200))
+    mock_current_user = Mock()
+    mock_current_user.is_authenticated = False
+    mock_current_user.email = user0.email
+
+    mock_request = Mock()
+    mock_request.headers = {"Authorization": "Bearer invalid_token"}
+    mock_request.args = {}
+    mock_request_context = MagicMock()
+    mock_request_context.__enter__.return_value = mock_request
+
+    with patch("reana_server.decorators.current_user", mock_current_user):
+        with patch("reana_server.decorators._get_user_from_jwt", side_effect=ValueError("Invalid token")):
+            with patch("reana_server.decorators.request", mock_request):
+                decorated_endpoint = signin_required(include_jwt=True)(mock_endpoint)
+                response, code = decorated_endpoint()
+
+                # Should not call the endpoint since authentication failed
+                mock_endpoint.assert_not_called()
+                assert code == 403
+                assert json.loads(response.get_data(as_text=True))["message"] == "Invalid token"