New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support generation of empty SecurityRequirement via annotation #483
Comments
Hi @patrick-vonsteht - your workaround is one of the two possibilities. The other would be to provide a static |
Proposed solution for 3.1 is to specify a default |
Should you already be able to represent this with Assuming I'm understanding it correctly, In that case, it would make sense for Edit: though I do see #468 reporting that it's not working properly, so we'd need to look at that first. |
I take the empty object in the example to be an instance of a |
Yes, as MikeEdgar says, the goal is to have multiple security requirements and one of those should be empty. This is needed to express optional authentication. |
I don't think that's quite right. In the OpenAPI spec, both the OpenAPI object and the Operation object allow an array of Security Requirement Objects. These indicate alternative authentication options, only one of them needs to be satisfied. In JSON, that might look like this, indicating that either {
"security": [
{
"api_key": {}
},
{
"petstore_auth": [
"write:pets",
"read:pets"
]
}
]
} However, each Security Requirement Object can itself list multiple schemes. This indicates that multiple authentication schemes are required, i.e. all of them need to be satisfied. In JSON, that might look like this, indicating that both {
"security": [
{
"api_key": {},
"petstore_auth": [
"write:pets",
"read:pets"
]
}
]
} In MP Open API, we have two annotations,
This would mean that the first example above could be represented by: @SecurityRequirement(name = "api_key")
@SecurityRequirement(name = "petstore_auth", scopes = {"write:pets", "read:pets"}) or equivalently @SecurityRequirementSet({@SecurityRequirement(name = "api_key")})
@SecurityRequirementSet({@SecurityRequirement(name = "petstore_auth", scopes = {"write:pets", "read:pets"})}) Whereas the second example above would be represented by: @SecurityRequirementSet({
@SecurityRequirement(name = "api_key"),
@SecurityRequirement(name = "petstore_auth", scopes = {"write:pets", "read:pets"})
}) Patrick's requirement was this (formatted to match the other examples): {
"security" : [
{
"ApiKeyAuth" : [ ]
},
{
"BearerTokenAuth" : [ ]
},
{ }
]
} This would be represented by @SecurityRequirement(name = "ApiKeyAuth") // Security Requirement Object with one entry
@SecurityRequirement(name = "BearerTokenAuth") // Security Requirement Object with one entry
@SecurityRequirementSet() // Security Requirement Object with no entries That doesn't mean we can't also have a different syntax to represent a Security Requirement Object with no entries, but I do think this case is covered by the existing annotations. Either way, we would want to add a TCK for this scenario. Of course, I may have misunderstood something in either spec so please let me know if there's something I've missed or have interpreted wrongly. |
@Azquelt - I follow you now and I agree. I think the confusion is that the
This one just doesn't jump out (to me) as the obvious way to use these annotations, but I do agree. I think it would be more clear if each |
Just putting this here for reference. This issue is concerned with representing an empty
|
…kus-quarkus-vertx-web-1.8.1.Final Bump quarkus-vertx-web from 1.8.0.Final to 1.8.1.Final
Hi,
What do I want to achieve?
I use the smallrye-openapi implemenation of the microprofile-open-api specification to generate an openapi.json from code.
I want to achieve to following output in the openapi.json:
Why do I need this?
This kind of specification is needed to achieve optional authentication as per the OpenAPI specification. See here https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#openapi-object, in the description for the security element:
What do I currently have?
I can add the following annotations in my code to get the entries for "ApiKeyAuth" and "BearerTokenAuth":
What do I need?
I also need to add the empty security requirement, but there doesn't seem to be a way to add it through annotations.
Particularly, I cannot add a SecurityRequirement without any arguments, because the name parameter is mandatory. So this doesn't work:
Am I missing something, or is this a missing feature?
What is my current workaround?
Currently I implemented a custom OASFilter that adds the empty security requirement:
The text was updated successfully, but these errors were encountered: