Allow specifying an OpenAPI security handler factory that takes the SecurityRequirement instance

[Traderjoe95]

Describe the feature

Allow creating authentication handlers for an OpenAPI security scheme dynamically based on the concrete security requirement. Currently, it is only possible to add a static security handler for a specific feature. It would be nice to be able to derive one from the security requirement, because, as the OpenAPI 3.1 specification states wrt. security requirements:

For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.

This information is fixed per route and thus a per-scheme factory function could be applied to build the security handler for a specific route.

Use cases

In our use case, we are using role-based JWT authorization and would like to create a handler that combines authentication and authorization in a single step. For this, it would be nice to define the roles required for a specific endpoint already in the OpenAPI specification, which is permitted since version 3.1.

Now, it would be cool to be able to automatically create the required handler based on the OpenAPI specification, e.g.

RouterBuilder builder = ...;

builder.security("roleBasedAuth").handler((SecurityScheme scheme, SecurityRequirement requirement) -> new CombinedHandler(requirement))

Note that, for our use case, the security scheme is not a required argument, although it might be for others, so I am envisioning a signature like so:

public interface Security {
  RouterBuilder handler(BiFunction<SecurityScheme, SecurityRequirement, AuthenticationHandler> factory);
}

Contribution

I am willing to contribute this feature if you think it is useful.