[Server] Basic JWT Authorization POC in `reana-server`

[tomondre]

Develop a minimal proof-of-concept implementation in reana-server to support basic JWT-based authorization. This PoC will serve as the foundation for our broader authorization goals. It will:

• Accept and validate JWT tokens in incoming API requests
• Perform basic claim extraction (e.g. sub)
• Apply simple authorization logic to selected endpoints
• Lay the groundwork for more comprehensive policy enforcement later

This task will not include user-facing documentation or deep test coverage and is intended solely as an internal proof-of-concept for backend authorization.
Some background and reading: https://codimd.web.cern.ch/pb_arxC5RWSZwbXY9HSGIg#RFC-Mapping-JWT-IdP-Identities-to-REANA-Users

[tomondre]

👀

• DB Schema: https://github.com/tomondre/reana-db/tree/jwt
• REANA Server: https://github.com/tomondre/reana-server/tree/jwt

[tomondre]

Simple test cases:

Correct execution

curl -X GET 'http://localhost:30080/api/workflows' -H 'Authorization: Bearer eyJraWQiOiJM <CORRECT_JWT_TOKEN_EXTRACTED_FROM_ESCAPE_IDP>' -H 'Accept: application/json'
{
  "has_next": false,
  "has_prev": false,
  "items": [],
  "page": 1,
  "total": 0,
  "user_has_workflows": false
}

Unparsable JWT

curl -X GET 'http://localhost:30080/api/workflows' -H 'Authorization: Bearer eyJraWQiOiJyc2ExIiwiYWxnIjoiUl' -H 'Accept: application/json'
{
  "message": "Invalid JWT token"
}

JWT from different IdP

curl -X GET 'http://localhost:30080/api/workflows' -H 'Authorization: Bearer <DIFFERENT_IDP_TOKEN>' -H 'Accept: application/json'
{
  "message": "Invalid JWT token"
}