One bump in the road: the TransformationRequest.submitted_by column expects an integer (we've been storing the autoincrementing user IDs issued by the PSQL db). It would be more flexible to store a string, so that external authentication systems can pass an OAuth sub as the identity claim. Unfortunately, that would require a db migration and some other changes to the app (e.g. the GET /servicex/transformation?submitted_by=... request should query for requests submitted by a given sub, rather than a given user ID).

@bbockelm - for Coffea casa, do users have unique integer IDs that could be passed as the identity claim? Or do they only have a sub?

EDIT: Nevermind, I think this will be fairly tricky, since the submitted_by column requires the value to be a foreign key in the users table anyway. Unfortunately, I think this means that DISABLE_USER_MGMT requires giving up this feature. We could probably add a memo field or something similar on transformation requests to support this in the future. I suppose we could alternately remove the foreign key constraint.

Codecov Report

Merging #73 (217156e) into develop (b8e8da7) will increase coverage by 0.85%.
The diff coverage is 100.00%.

@@             Coverage Diff             @@
##           develop      #73      +/-   ##
===========================================
+ Coverage    91.04%   91.90%   +0.85%     
===========================================
  Files           49       49              
  Lines         1329     1371      +42     
  Branches       108      117       +9     
===========================================
+ Hits          1210     1260      +50     
+ Misses         106       98       -8     
  Partials        13       13              

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b8e8da7...217156e. Read the comment docs.

This is ready; we now have full test coverage and I've added some more instructions on how to generate the tokens. I've also tested manually with refresh tokens generated externally using the jwt.io debugger with the HS256 algorithm and our default JWT_SECRET_KEY (both in plaintext and base64-encoded).

@AndrewEckart if you want I can quickly deploy it in dev namespace in flux?

Do you have somewhere pushed image I should use?

@AndrewEckart if you want I can quickly deploy it in dev namespace in flux?

Yes please! Keep in mind that you'll need the disable-user-mgmt branch of the Helm chart as well, which is not published to our chart repo. Will you still be able to do it with Flux?

Ah, since we deploying servicex from chart repo (as a dependency of coffea-casa), it will be hard...
cc: @jthiltges

What is the status of this? Is @oshadura using it on coffea-casa?

@BenGalewsky I will try to retest it ASAP, thanks for reminder!