-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ability to define some OpenAPI Security in Config #15659
Added ability to define some OpenAPI Security in Config #15659
Conversation
Very nice! I can't say I know much about this stuff, so maybe best if @sberyozkin takes a look? |
@phillip-kruger agree with @geoand it looks good; perhaps they can be made mutually exclusive ? I.e, one should only see one of those security schemes as opposed to for ex |
@sberyozkin - how do you mean ? Should we only allow one type at a time in config ? In OpenAPI you can define multiple security schemes, in fact, you can even for instance have multiple basic schemes (That is not possible in this PR, as I thinks that is not used that much) This only adds the definition(s), the developer will still have to annotate the individual methods (operations) with the Security Requirement. Let me know, happy to make any changes you suggest. |
@phillip-kruger I only meant that even if OpenApi allows it (multiple sec schemes) we can't back it up at the Quarkus level at a per-method level, for ex, let's say a user typed Basic and OIDC or Basic and JWT - we can't support one for one method and another one for another method - combining the schemes works but not a per-method/per-resource level. |
Hi @sberyozkin - as discussed, I changed this to only allow one of the types (mutually exclusive). Please can you review. |
...ment/src/main/java/io/quarkus/smallrye/openapi/deployment/security/SecurityConfigFilter.java
Show resolved
Hide resolved
Signed-off-by: Phillip Kruger <phillip.kruger@gmail.com>
As discussed in the OpenAPI Quarkus Insights session.
This allows adding basic, JWT, OIDC and Implicit flow OAuth2 security via config.
Signed-off-by:Phillip Kruger phillip.kruger@gmail.com