-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix linting errors in OAS files. #334
Conversation
components/SecuritySchemes.yml
Outdated
authorizationUrl: /oauth2/authorize | ||
tokenUrl: /oauth2/token | ||
scopes: | ||
read: Grants read access | ||
write: Grants write access |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authorizationUrl: /oauth2/authorize | |
tokenUrl: /oauth2/token | |
scopes: | |
read: Grants read access | |
write: Grants write access | |
authorizationUrl: /TBD | |
tokenUrl: /TBD | |
scopes: | |
TBD: There are currently no scopes defined. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been removed in commit f2c17c0, and is ultimately up to the instance to define.
components/SecuritySchemes.yml
Outdated
oAuth2: | ||
type: oauth2 | ||
flows: | ||
authorizationCode: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't have to use authorizationCode -- need to figure out how to say "this is up to implementers".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been removed in commit f2c17c0 and is up to the instance to define.
components/SecuritySchemes.yml
Outdated
paths: | ||
components: | ||
securitySchemes: | ||
noAuth: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noAuth: | |
networkAuth: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As noted on call, we understand the scope of this PR is to fix lint errors (we never want to compromise about dev tools not being broken), but we will update in future PRs to correctly make sure we don't unintentionally rule out use cases for "no authorization (header) required", "I enforce access to this endpoint with a firewall" or "some other secret auth method".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been fixed in f2c17c0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should rename oauth2
to oauth2-vcapi
so that we can only define the parts we know we can define at this time. There were some requirements when using oauth2
that weren't really ready to set, so if we invent a name for now as a placeholder we can just do the parts we have consensus on / know what we're doing.
88a58b8
to
eeb2226
Compare
I was able to update it to just |
Discussed on the 2023-03-21 call. Normative, multiple reviews, changes requested and made, no objections, merging. |
This PR fixes linting errors in the OAS files. OAS linting requires that every endpoint define security properties and at least one server endpoint. Reviewers should pay specific attention to this PR because it does add authorization mechanisms available on each endpoint, including noAuth, didAuth, oAuth2, and zCap (since the current set of implementers support at least one of those mechanisms, if not multiple). Setting this PR to draft so we can discuss.
The intent of this PR is NOT to establish the correct authz mechanisms for each endpoint, that will be done in a future PR. The goal here is to get "close enough" and then fine tune the authz mechanisms in a future PR. Do not take the authz mechanisms provided as anything more than a work in progress at this point in time.