OpenAPI 3.1

[slinkydeveloper]

OpenAPI 3.1 is out, we need to support it https://www.openapis.org/blog/2021/02/16/migrating-from-openapi-3-0-to-3-1-0

The vertx-json-schema package already supports the latest json schema Draft 2019-09, so we need to just wire it up with vertx-web-openapi

[pmlopes]

Security wise http security may use the scope list as roles required for execution. This means we need to be able to link both authentication with authorization.

While in oauth2/oidc scopes are more or less easy to handle as they are returned as part of the token exchange, for http and bearer token authentication the scope/role may be anywhere in the token which may require custom handlers.

Probably we should issue a warning during buildRouter() when http security schema is used with scopes. In that case we log as a WARNING that it's the user's responsibility to assert that the role/scope is present.

Assertion should be trivial as the user can use the authz framework and should have the knowledge which kind of authz is needed and which provider.

[pmlopes]

This issue addresses the "scope" support for bearer authn: #1929
This issue ensures that chain will work with any combinations: #1930

[LouizFC]

@pmlopes @slinkydeveloper

Greetings

Sorry about the double ping, but this is a blocking issue at one of my pet projects. Is there any issue I could help with?

[pmlopes]

@LouizFC the required changes on jwt/oauth2 are already merged to the main development branch. I'm planning to start implementing the oidc improvement discussed in: #1858

[pmlopes]

So this will implement the required changes regarding security. After this, we still need to work the remaining changes which are more now level, like the "everything is a jsonschema now".

[pmlopes]

All security related tasks have been merged. We shall now focus on the yaml/schema changes

[LouizFC]

@pmlopes does this includes draft 2020-12 support? I think I could help with that.

Taking a brief look, vertx json schema implementation already uses a pseudo-vocabulary for OpenAPI (I took a brief look, I could be wrong), I will further investigate and see if I can help.

[pmlopes]

@LouizFC I don't think so. All json schema support is handled in another repo:

https://github.com/eclipse-vertx/vertx-json-schema

If you want to help, please checkout that code and implement a pull request for the latest spec.

[pmlopes]

Depends (maybe) on: eclipse-vertx/vertx-json-schema#43

[pmlopes]

We now have support for openapi 3.1 in the new module vertx-web-openapi-router

[mohamnag]

this is marked to be delivered in 4.4.1 and even docs say that OpenAPI 3.1 is supported, however the class io.vertx.ext.web.openapi.impl.OpenAPIHolderImpl from vertx-web-openapi still throws following exception while trying to parse a spec file with version 3.1:

ValidationException{message='provided string should respect pattern ^3\.0\.\d(-.+)?$', keyword='pattern', input=3.1.0, schema=io.vertx.json.schema.common.SchemaImpl@5aceec94, inputScope=#/openapi}
	at io.vertx.json.schema.ValidationException.create(ValidationException.java:85)
	at io.vertx.json.schema.common.PatternValidatorFactory$PatternValidator.validateSync(PatternValidatorFactory.java:55)
	at io.vertx.json.schema.common.SchemaImpl.runSyncValidator(SchemaImpl.java:193)
	at io.vertx.json.schema.common.SchemaImpl.validateSync(SchemaImpl.java:128)
	at io.vertx.json.schema.common.PropertiesValidatorFactory$PropertiesValidator.validateAsync(PropertiesValidatorFactory.java:166)
	at io.vertx.json.schema.common.SchemaImpl.runAsyncValidators(SchemaImpl.java:173)
	at io.vertx.json.schema.common.SchemaImpl.validateAsync(SchemaImpl.java:121)
	at io.vertx.json.schema.common.SchemaImpl.validateAsync(SchemaImpl.java:48)
	at io.vertx.ext.web.openapi.impl.OpenAPIHolderImpl.lambda$loadOpenAPI$2(OpenAPIHolderImpl.java:88)
	at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38)
	... 22 more