Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecating Security Schemes #2506

Closed
philsturgeon opened this issue Mar 19, 2021 · 1 comment · Fixed by #2532
Closed

Deprecating Security Schemes #2506

philsturgeon opened this issue Mar 19, 2021 · 1 comment · Fixed by #2532
Assignees
@philsturgeon

Comments

@philsturgeon
Copy link
Contributor

philsturgeon commented Mar 19, 2021
edited

Case study: GitHub. They support access token through the query string but they're deprecating and removing support for that. They'd like folks to stop using it, and are recommending people move over to other security schemes like HTTP basic or OAuth2. They've been sending out emails when people hit it, writing it in human-docs, and blogs, etc., but OpenAPI could help them out here too.

So far, no way to deprecate a security scheme.

image

We should be able to use deprecated: true on a security scheme just like on an operation or property.

Yes? I'll make a PR if some thumbs appear.
@philsturgeon philsturgeon mentioned this issue Mar 19, 2021
Open
@philsturgeon philsturgeon mentioned this issue Apr 11, 2021
Merged
@hkosova hkosova mentioned this issue Nov 1, 2021
Open
@MikeRalphson
Copy link
Member

Looks like this got merged into v3.2.0-dev. Thanks all.

@jackHay22 jackHay22 mentioned this issue Dec 7, 2023
Merged
lunny pushed a commit to go-gitea/gitea that referenced this issue Dec 12, 2023
@jackHay22 @delvh
Deprecate query string auth tokens (#28390)
4e879fe 
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
@GiteaBot GiteaBot mentioned this issue Dec 12, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Dec 12, 2023
@jackHay22 @delvh @GiteaBot
Deprecate query string auth tokens (go-gitea#28390)
645d211 
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
lunny pushed a commit to go-gitea/gitea that referenced this issue Dec 12, 2023
@GiteaBot @jackHay22 @delvh
Deprecate query string auth tokens (#28390) (#28430)
f144521 
Backport #28390 by @jackHay22

## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

Co-authored-by: Jack Hay <jack@allspice.io>
Co-authored-by: delvh <dev.lh@web.de>
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@jackHay22 @delvh @fuxiaohei
Deprecate query string auth tokens (go-gitea#28390)
5a82415 
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@jackHay22 @delvh @silverwind
Deprecate query string auth tokens (go-gitea#28390)
b0fe88a 
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](OAI/OpenAPI-Specification#2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philsturgeon philsturgeon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security scheme deprecated philsturgeon/OpenAPI-Specification
2 participants
@MikeRalphson @philsturgeon