Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refinement of security section using OpenAPI 3 #1096

Closed
maxim-tschumak opened this issue Dec 17, 2019 · 2 comments · Fixed by #1227
Closed

Refinement of security section using OpenAPI 3 #1096

maxim-tschumak opened this issue Dec 17, 2019 · 2 comments · Fixed by #1227
Assignees
@vadeg
Labels
guidelines-update Automatically created Issue for changes in the API guidelines → check for zally-change label

Comments

@maxim-tschumak
Copy link
Contributor

Please check if the PR zalando/restful-api-guidelines#551 introduces changes which are relevant to the Zally project.
@maxim-tschumak maxim-tschumak added the guidelines-update Automatically created Issue for changes in the API guidelines → check for zally-change label label Dec 17, 2019
@conorclifford
Copy link

The changes in the guidelines PR zalando/restful-api-guidelines#551 result in zally reporting broken APIs that I believe meet the new guideline rules.

A minimal example API that uses new guidelines that are not accepted is:

openapi: 3.0.1
info:
  title: testing123 API
  x-audience: company-internal
  x-api-id: deadbeef-cafe-babe-a91d-936bb408d996
  description: dummy api
  contact:
    name: bob
    email: bobbie@example.com
    url: https://example.com
  version: 0.0.0
paths:
  /greetings:
    get:
      summary: Return a greeting
      responses:
        default:
          description: some issue
          content:
            application/problem+json:
              schema:
                $ref: 'https://opensource.zalando.com/problem/schema.yaml#/Problem'
      security:
        - BearerAuth:
            - simple.read
servers:
  - url: https://fake-name.zalandoapis.com
components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

Zally reports the following violations for the above:

image

The same minimal API with the old securityScheme setup does pass zally checks:

openapi: 3.0.1
info:
  title: testing123 API
  x-audience: company-internal
  x-api-id: deadbeef-cafe-babe-a91d-936bb408d996
  description: dummy api
  contact:
    name: bob
    email: bobbie@example.com
    url: https://example.com
  version: 0.0.0
paths:
  /greetings:
    get:
      summary: Return a greeting
      responses:
        default:
          description: some issue
          content:
            application/problem+json:
              schema:
                $ref: 'https://opensource.zalando.com/problem/schema.yaml#/Problem'
      security:
        - oauth2:
            - simple.read
servers:
  - url: https://fake-name.zalandoapis.com
components:
  securitySchemes:
    oauth2:
      type: oauth2
      flows:
        clientCredentials:
          tokenUrl: 'https://token.example.com/oauth2/access_token'
          scopes:
            uid: Unique identifier of the user accessing the service.
            simple.read: reading scope

@tkrop
Copy link
Member

tkrop commented Feb 14, 2020

Thanks for reporting. We are missing the resources to act on this. Any contribution is welcome.

@vadeg vadeg mentioned this issue Apr 23, 2021
Merged
@vadeg vadeg self-assigned this Apr 23, 2021
tkrop added a commit that referenced this issue May 27, 2021
@tkrop
Merge pull request #1227 from zalando/gh-1096-add-bearer-support
0a8ddb5 
Add a `Bearer` security schema support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vadeg vadeg

Labels
guidelines-update Automatically created Issue for changes in the API guidelines → check for zally-change label
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a Bearer security schema support zalando/zally
4 participants
@maxim-tschumak @vadeg @conorclifford @tkrop