How do I hide the authorization security indicators for just one endpoint?

gdec31 commented 9 months ago

Hello,

I have a public API which is not subject to any authorization type.

Step to reproduce

Select a public endpoint (You can found an extract of the schema below)

Actual behavior

On the top right of endpoint page I have this :

Expected behavior

Should display nothing

An extract of the schema : (there is no security part)


  "/saml" : {
      "get" : {
        "tags" : [ "Server" ],
        "summary" : "Get the SP metadata",
        "description" : "Get the service provider metadata.",
        "operationId" : "getSpMetadata",
        "responses" : {
          "200" : {
            "description" : "Successful Operation",
          },
          "204" : {
            "description" : "No content."
          }, "500" : {
            "description" : "Internal server error."
          }
        }
      }
    },```

wparad commented 9 months ago

I'm struggling to reproduce this, we'll need a full minimal reproduction spec in order to validate this. Can you share that?

gdec31 commented 9 months ago

Below a simple schema to reproduce the case. I reproduce on https://authress-engineering.github.io/openapi-explorer/

{
  "openapi" : "3.0.1",
  "info" : {
    "title" : "The REST API",
    "description" : "Descr.",
    "version" : "2",
    "x-locale" : "en_US"
  },
  "servers" : [ {
    "url" : "/api/"
  } ],
  "security" : [ {
    "bearerAuth" : [ ]
  }, {
    "basicAuth" : [ ]
  } ],
  "tags" : [ {
    "name" : "Server",
    "description" : "The server API"
  }],
  "paths" : {
    "/saml" : {
      "get" : {
        "tags" : [ "Server" ],
        "summary" : "Get the SP metadata",
        "description" : "Get the service provider metadata",
        "operationId" : "getSpMetadata",
        "responses" : {
          "200" : {
            "description" : "Successful Operation",
            "content" : {
              "application/xml" : { }
            }
          },
          "204" : {
            "description" : "No content."
          },
          "500" : {
            "description" : "Internal server error."
          }
        }
      }
    }
  },
  "components" : {
    "securitySchemes" : {
      "bearer" : {
        "type" : "http",
        "scheme" : "bearer"
      },
      "basic" : {
        "type" : "http",
        "scheme" : "basic"
      }
    }
  }
}

wparad commented 9 months ago

Your spec doesn't make sense to me. You've defined two security schemes for your API:

bearer and basic

"securitySchemes" : {
  "bearer" : {
    "type" : "http",
    "scheme" : "bearer"
  },
  "basic" : {
    "type" : "http",
    "scheme" : "basic"
  }
}

But then you set your security for whole API to be two schemes that don't exist in your spec:

"security" : [ {
    "bearerAuth" : [ ]
  }, {
    "basicAuth" : [ ]
  } ],

Of course the API would show that there are two schemes, and not know what to show there.

So you have two problems here.

1. First you want to fix your specified security for the whole api to be:

"security" : [ {
    "bearer" : [ ]
  }, {
    "basic" : [ ]
  } ],

So that they match your schemes.

2. You want to remove the schemes for your API

To do that according to the OpenAPI specification, you can remove them by adding security: [] to the endpoints in question:

"paths" : {
    "/saml" : {
      "get" : {
        "security" : [  ],
        "tags" : [ "Server" ],
        "summary" : "Get the SP metadata",
        "description" : "Get the service provider metadata",
        "operationId" : "getSpMetadata",
        "responses" : {
          "200" : {
            "description" : "Successful Operation",
            "content" : {
              "application/xml" : { }
            }
          },
          "204" : {
            "description" : "No content."
          },
          "500" : {
            "description" : "Internal server error."
          }
        }
      }
    }
  },

gdec31 commented 9 months ago

I simplify the schema and remove the others endpoints (100+).

But I have :

one endpoint that use basic authentication
one public endpoint (the previous example)
the others use bearer authentication

But seems ok to just add "security" : [ ] like you describe.

Thanks !

wparad commented 9 months ago

I'm not following what the issue is honestly. In the first endpoint, set it to basic, in the second endpoint, set it an empty array, and at the top level set it to be an array with just the bearer type. That is the guidance from the Open API Initiative specification for how to implement your scenario.

gdec31 commented 9 months ago

The problem was on my side, I didn't have an empty array for the security field. Sorry for the inconvenience.

wparad commented 9 months ago

no problem at all. Cheers.

Authress-Engineering / openapi-explorer

How do I hide the authorization security indicators for just one endpoint? #241

1. First you want to fix your specified security for the whole api to be:

2. You want to remove the schemes for your API