Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AbstractCompositeAuthenticationProvider filtering requests with all defined security schemas (only one should be enough) #430

Open
hbelmiro opened this issue Aug 3, 2023 Discussed in #415 · 1 comment
Open

AbstractCompositeAuthenticationProvider filtering requests with all defined security schemas (only one should be enough) #430

hbelmiro opened this issue Aug 3, 2023 Discussed in #415 · 1 comment
Labels
area:client This item is related to the client extension bug Something isn't working pinned Issues and PRs that must not stale

Comments

@hbelmiro
Copy link
Contributor

hbelmiro commented Aug 3, 2023

Discussed in #415

Originally posted by ayhanap July 21, 2023
Given an openapi spec with two security schemas and an operation with a security requirment object of those two schemas, quarkus-openapi-generator generates an AbstractCompositeAuthenticationProvider.

The problem here is AbstractCompositeAuthenticationProvider tries to filter requests with all of these security schemas but all of these security schemas are not required, only one is enough.
https://spec.openapis.org/oas/v3.1.0#security-requirement-object

How can we specify which security schema to use? For instance, I want to use basicAuth but the request filter fails because it cannot find OIDC configs. I couldn't find an answer going through this repository.

Here is a spec as an example.

With security schema definitions below.

      "OAuth2": {
        "type": "oauth2",
        "description": "OAuth2 scopes for Jira",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://auth.atlassian.com/authorize",
            "tokenUrl": "https://auth.atlassian.com/oauth/token",
            "scopes": {
              ....
            }
          }
        }
      },
      "basicAuth": {
        "type": "http",
        "description": "You can access this resource via basic auth.",
        "scheme": "basic"
      }
    }

And an operation with the below required security requirement object.

    "/rest/api/3/dashboard/gadgets": {
      "get": {
        "tags": [
          "Dashboards"
        ],
        "summary": "Get available gadgets",
        "description": "Gets a list of all available gadgets that can be added to all dashboards.\n\n**[Permissions](#permissions) required:** None.",
        "operationId": "getAllAvailableDashboardGadgets",
        "parameters": [],
        "responses": {
         ....}
        "deprecated": false,
        "security": [
          {
            "basicAuth": []
          },
          {
            "OAuth2": [
              "read:jira-work"
            ]
          }
        ],
```</div>
@hbelmiro hbelmiro changed the title How to select which security to use when an operation has more than one alternative security requirements AbstractCompositeAuthenticationProvider filtering requests with all defined security schemas (only one should be enough) Aug 3, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2023

@ricardozanini @hbelmiro This is being labeled as Stale.

@github-actions github-actions bot added the Stale label Oct 3, 2023
@hbelmiro hbelmiro added pinned Issues and PRs that must not stale bug Something isn't working and removed Stale labels Oct 3, 2023
@ricardozanini ricardozanini added the area:client This item is related to the client extension label Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:client This item is related to the client extension bug Something isn't working pinned Issues and PRs that must not stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ricardozanini @hbelmiro