Description
Schema Inaccuracy
The request/response for the API call are at a minimum, only concerned with ROLES/Privileges associated with an endpoint... not with the OAuth handshake. That is all function handled on the backend.
{
"type": "oauth2",
"flows": {
"implicit": {
"authorizationUrl": "https://example.com/api/oauth/dialog",
"scopes": {
"write:pets": "modify pets in your account",
"read:pets": "read your pets"
}
}
}
}
This function can be defined (and usually is) in separate more secure documents that don't have to be syncronized and/or cached. Also this data is single use wheras the other data in the document is shared.
Expected
Security is better handled by associating ROLES with endpoints so that once token is issued, a check can be easily made against stated ROLES associated with endpoints
ex.
"REQUEST": {
"permitAll":["firstName","username","lastName","email"],
"ROLE_ADMIN":["enabled","password","id","version"]
},
"RESPONSE": {
"permitAll":["email"],
"ROLE_ADMIN":["id","version"]
}
Above shows how ROLE_ADMIN would get a concatenated dataset of 'permitAll' plus their own privilege.
This keeps the schema related ONLY to the request/response call flow.
Reproduction Steps
ex
curl -v -H "Content-Type: application/json" -H "Authorization: Bearer a7ectf7qgulb38bu22l136r7cf0qv12j" --request GET "http://localhost:8080/v1.6.58/person/show/225"