reanahub · tomondre · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/docs/openapi.json b/docs/openapi.json
diff --git a/reana_server/config.py b/reana_server/config.py
@@ -302,6 +302,9 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
 OAUTHCLIENT_REMOTE_APPS = dict()
 OAUTHCLIENT_REST_REMOTE_APPS = dict()
 
+# Default value for when no login providers are configured. Used for JWT validation.
+REANA_OAUTH_JWK_URL = None
+
 # Keycloak is only configured if login providers are defined
 if REANA_SSO_LOGIN_PROVIDERS:
     # Variables for the first login provider in the JSON
@@ -346,6 +349,8 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
     OAUTHCLIENT_REMOTE_APPS["keycloak"] = KEYCLOAK_APP
     OAUTHCLIENT_REST_REMOTE_APPS["keycloak"] = KEYCLOAK_REST_APP
 
+    REANA_OAUTH_JWK_URL = PROVIDER_CONFIG.get("jwk_url", "")
+
 # CERN SSO configuration
 OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
 OAUTH_REMOTE_REST_APP.update(

diff --git a/reana_server/decorators.py b/reana_server/decorators.py
@@ -20,6 +20,7 @@
     _get_user_from_invenio_user,
     get_user_from_token,
     get_quota_excess_message,
+    _get_user_from_jwt,
 )
 
 
@@ -37,6 +38,9 @@ def wrapper(*args, **kwargs):
                     user = get_user_from_token(request.headers["X-Gitlab-Token"])
                 elif "access_token" in request.args:
                     user = get_user_from_token(request.args.get("access_token"))
+                elif request.headers["Authorization"]:
+                    user = _get_user_from_jwt(request.headers["Authorization"])
+
                 if not user:
                     return jsonify(message="User not signed in"), 401
                 if token_required and not user.active_token:

diff --git a/reana_server/rest/config.py b/reana_server/rest/config.py
@@ -36,6 +36,11 @@ def get_config():
           description: API access_token of user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of user.
+          required: false
+          type: string
       responses:
         200:
           description: >-

diff --git a/reana_server/rest/gitlab.py b/reana_server/rest/gitlab.py
@@ -227,6 +227,11 @@ def gitlab_projects(
           description: The API access_token of the current user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the current user.
+          required: false
+          type: string
         - name: search
           in: query
           description: The search string to filter the project list.

diff --git a/reana_server/rest/info.py b/reana_server/rest/info.py
@@ -59,7 +59,12 @@ def info(user, **kwargs):  # noqa
         - name: access_token
           in: query
           description: The API access_token of workflow owner.
-          required: true
+          required: false
+          type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the workflow owner.
+          required: false
           type: string
       responses:
         200:

diff --git a/reana_server/rest/secrets.py b/reana_server/rest/secrets.py
@@ -68,6 +68,11 @@ def add_secrets(user, overwrite=False):
           description: Secrets owner access token.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of secrets owner.
+          required: false
+          type: string
         - name: overwrite
           in: query
           description: Whether existing secret keys should be overwritten.
@@ -199,6 +204,11 @@ def get_secrets(user):  # noqa
           description: Secrets owner access token.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of secrets owner.
+          required: false
+          type: string
       responses:
         200:
           description: >-
@@ -297,6 +307,11 @@ def delete_secrets(user):  # noqa
           description: API key of the admin.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the admin.
+          required: false
+          type: string
         - name: secrets
           in: body
           description: >-

diff --git a/reana_server/rest/users.py b/reana_server/rest/users.py
@@ -51,6 +51,11 @@ def get_you(user):
           description: API access_token of user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the current user.
+          required: false
+          type: string
       responses:
         200:
           description: >-
@@ -246,6 +251,11 @@ def request_token(user):
           description: API access_token of user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the current user.
+          required: false
+          type: string
       responses:
         200:
           description: >-
@@ -378,6 +388,11 @@ def get_users_shared_with_you(user):
           description: API access_token of user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of the current user.
+          required: false
+          type: string
       responses:
         200:
           description: >-
@@ -493,6 +508,11 @@ def get_users_you_shared_with(user):
           description: API access_token of user.
           required: false
           type: string
+        - name: Authorization
+          in: header
+          description: The JWT of current user.
+          required: false
+          type: string
       responses:
         200:
           description: >-