feat(config): add EOSC EU Node AAI SSO login method (#750)

Add support for EOSC EU Node AAI as a new SSO login provider by
importing and configuring the EOSC AAI OAuth provider from
`invenio-oauthclient`. The implementation introduces `EOSC_*`
environment variables for consumer credentials and endpoint URLs and
configures the remote REST app with proper OAuth URLs and scopes. A
custom `invenio-oauthclient` branch is installed to provide the
necessary EOSC AAI support without having to upgrade the full Invenio
stack.

Author: tiborsimko

Dockerfile

@@ -1,5 +1,5 @@
 # This file is part of REANA.
-# Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 CERN.
+# Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025, 2026 CERN.
 #
 # REANA is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -65,7 +65,12 @@ RUN if test -e modules/reana-commons; then \
       fi \
     fi
 
+# Install custom invenio-oauthclient branch
+# hadolint ignore=DL3013
+RUN pip install --no-cache-dir --force-reinstall --no-deps "git+https://github.com/tiborsimko/invenio-oauthclient.git@reana-een-aai"
+
 # A quick fix to allow eduGAIN and social login users that wouldn't otherwise match Invenio username rules
+# hadolint ignore=DL3059
 RUN sed -i 's|^username_regex = re.compile\(.*\)$|username_regex = re.compile("^\\S+$")|g' /usr/local/lib/python3.12/dist-packages/invenio_userprofiles/validators.py
 
 # Check for any broken Python dependencies

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025 CERN. 
+Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025, 2026 CERN.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

reana_server/config.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # This file is part of REANA.
-# Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025 CERN.
+# Copyright (C) 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025, 2026 CERN.
 #
 # REANA is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -17,7 +17,7 @@
 from distutils.util import strtobool
 from limits.util import parse
 from invenio_app.config import APP_DEFAULT_SECURE_HEADERS
-from invenio_oauthclient.contrib import cern_openid
+from invenio_oauthclient.contrib import cern_openid, eosc_aai
 from invenio_oauthclient.contrib.keycloak import KeycloakSettingsHelper
 from reana_commons.config import REANA_INFRASTRUCTURE_COMPONENTS_HOSTNAMES
 from reana_commons.job_utils import kubernetes_memory_to_bytes
@@ -52,6 +52,26 @@
     "https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/userinfo",
 )
 
+REANA_SSO_EOSC_CONSUMER_KEY = os.getenv("EOSC_CONSUMER_KEY", "CHANGE_ME")
+REANA_SSO_EOSC_CONSUMER_SECRET = os.getenv("EOSC_CONSUMER_SECRET", "CHANGE_ME")
+REANA_SSO_EOSC_BASE_URL = os.getenv(
+    "EOSC_BASE_URL", "https://proxy.testing.eosc-federation.eu"
+)
+REANA_SSO_EOSC_REQUIRED_ENTITLEMENT = os.getenv("EOSC_REQUIRED_ENTITLEMENT", "")
+"""Required EOSC AAI entitlement for login. If set, users must have this entitlement to access REANA."""
+REANA_SSO_EOSC_TOKEN_URL = os.getenv(
+    "EOSC_TOKEN_URL",
+    f"{REANA_SSO_EOSC_BASE_URL}/OIDC/token",
+)
+REANA_SSO_EOSC_AUTH_URL = os.getenv(
+    "EOSC_AUTH_URL",
+    f"{REANA_SSO_EOSC_BASE_URL}/OIDC/authorization",
+)
+REANA_SSO_EOSC_USERINFO_URL = os.getenv(
+    "EOSC_USERINFO_URL",
+    f"{REANA_SSO_EOSC_BASE_URL}/OIDC/userinfo",
+)
+
 # Load Login Providers Configuration and Secrets as JSON from environment variables
 REANA_SSO_LOGIN_PROVIDERS = json.loads(os.getenv("LOGIN_PROVIDERS_CONFIGS", "[]"))
 REANA_SSO_LOGIN_PROVIDERS_SECRETS = json.loads(
@@ -372,14 +392,14 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
     OAUTHCLIENT_REST_REMOTE_APPS["keycloak"] = KEYCLOAK_REST_APP
 
 # CERN SSO configuration
-OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
-OAUTH_REMOTE_REST_APP.update(
+CERN_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
+CERN_REMOTE_REST_APP.update(
     {
         "authorized_redirect_url": OAUTH_REDIRECT_URL,
         "error_redirect_url": OAUTH_REDIRECT_URL,
     }
 )
-OAUTH_REMOTE_REST_APP["params"].update(
+CERN_REMOTE_REST_APP["params"].update(
     dict(
         request_token_params={"scope": "openid"},
         base_url=REANA_SSO_CERN_BASE_URL,
@@ -394,8 +414,34 @@ def _get_rate_limit(env_variable: str, default: str) -> str:
     consumer_secret=REANA_SSO_CERN_CONSUMER_SECRET,
 )
 
-OAUTHCLIENT_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
-OAUTHCLIENT_REST_REMOTE_APPS["cern_openid"] = OAUTH_REMOTE_REST_APP
+OAUTHCLIENT_REMOTE_APPS["cern_openid"] = CERN_REMOTE_REST_APP
+OAUTHCLIENT_REST_REMOTE_APPS["cern_openid"] = CERN_REMOTE_REST_APP
+
+# EOSC SSO configuration
+EOSC_REMOTE_REST_APP = copy.deepcopy(eosc_aai.REMOTE_REST_APP)
+EOSC_REMOTE_REST_APP.update(
+    {
+        "authorized_redirect_url": OAUTH_REDIRECT_URL,
+        "error_redirect_url": OAUTH_REDIRECT_URL,
+    }
+)
+EOSC_REMOTE_REST_APP["params"].update(
+    dict(
+        request_token_params={"scope": "openid profile email entitlements"},
+        base_url=REANA_SSO_EOSC_BASE_URL,
+        access_token_url=REANA_SSO_EOSC_TOKEN_URL,
+        authorize_url=REANA_SSO_EOSC_AUTH_URL,
+    )
+)
+OAUTHCLIENT_EOSC_AAI_USERINFO_URL = REANA_SSO_EOSC_USERINFO_URL
+
+EOSC_AAI_APP_CREDENTIALS = dict(
+    consumer_key=REANA_SSO_EOSC_CONSUMER_KEY,
+    consumer_secret=REANA_SSO_EOSC_CONSUMER_SECRET,
+)
+
+OAUTHCLIENT_REMOTE_APPS["eosc_aai"] = EOSC_REMOTE_REST_APP
+OAUTHCLIENT_REST_REMOTE_APPS["eosc_aai"] = EOSC_REMOTE_REST_APP
 
 SECURITY_PASSWORD_SALT = "security-password-salt"
 

reana_server/utils.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # This file is part of REANA.
-# Copyright (C) 2018, 2019, 2020, 2021, 2022, 2023, 2024 CERN.
+# Copyright (C) 2018, 2019, 2020, 2021, 2022, 2023, 2024, 2025, 2026 CERN.
 #
 # REANA is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
@@ -24,6 +24,7 @@
 import requests
 import yaml
 from flask import url_for
+from invenio_oauthclient.errors import OAuthClientUnAuthorized
 from jinja2 import Environment, PackageLoader, select_autoescape
 from marshmallow.exceptions import ValidationError
 from marshmallow.validate import Email
@@ -67,6 +68,7 @@
 from reana_server.config import (
     ADMIN_USER_ID,
     REANA_HOSTNAME,
+    REANA_SSO_EOSC_REQUIRED_ENTITLEMENT,
     REANA_USER_EMAIL_CONFIRMATION,
     REANA_WORKFLOW_SCHEDULING_POLICY,
     REANA_WORKFLOW_SCHEDULING_POLICIES,
@@ -368,10 +370,23 @@ def _import_users(users_csv_file):
 
 
 def _create_and_associate_oauth_user(sender, account_info, **kwargs):
-    logging.info(f"account_info: {account_info}")
     user_email = account_info["user"]["email"]
     user_fullname = account_info["user"]["profile"]["full_name"]
-    username = account_info["user"]["profile"]["username"]
+    if "username" in account_info["user"]["profile"]:
+        username = account_info["user"]["profile"]["username"]
+    else:
+        username = user_email  # external_id
+    if "entitlements" in kwargs.get("response", {}):
+        entitlements = kwargs["response"]["entitlements"]
+        if REANA_SSO_EOSC_REQUIRED_ENTITLEMENT:
+            if REANA_SSO_EOSC_REQUIRED_ENTITLEMENT not in entitlements:
+                logging.warning(
+                    f"User {user_email} does not have the required EOSC entitlement "
+                    f"'{REANA_SSO_EOSC_REQUIRED_ENTITLEMENT}'. Login denied."
+                )
+                raise OAuthClientUnAuthorized(
+                    "Access denied. You do not have the required entitlement to use this REANA instance."
+                )
     return _create_and_associate_reana_user(user_email, user_fullname, username)
 
 

setup.py

@@ -76,7 +76,7 @@
     # From auth bundle
     "invenio-accounts>=2.0.0",
     "invenio-oauth2server>=1.3.0",
-    "invenio-oauthclient>=1.5.0",
+    "invenio-oauthclient @ git+https://github.com/tiborsimko/invenio-oauthclient.git@reana-een-aai",
     "invenio-userprofiles>=1.2.0",
     "invenio-userprofiles>=1.2.0",
     "invenio-theme>=1.4.7",