search

Azure / azure-functions-openapi-extension

This extension provides an Azure Functions app with Open API capability for better discoverability to consuming parties
https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.OpenApi/
MIT License
373 stars 195 forks source link

Document about "Configure Authorization Level" is not clear #422

Open nguyenlamlll opened 2 years ago

nguyenlamlll commented 2 years ago

Describe the issue I need to configure the authorization level of my Swagger pages. So, I follow this document here.

First, there is a confusion in the name. In the example code block, the variable name is OpenApi__ApiKey. But in the text below, it says Make sure that you MUST provide the OpenApi__AuthKey value, if you choose the. So, ApiKey or AuthKey?

Secondly, how do we query the secured page now? There is no explanation of how to do this. So, I imply that I can use the same method of azure functions. It means x-functions-key header or ?code={KEY} in query string. I tried both, it does not work. The swagger page only returns 401.

To Reproduce Steps to reproduce the behavior:

Configure my local.settings.json (and for Function App on Azure portal as well)

{
  "IsEncrypted": false,
  "Values": {
    "OpenApi__AuthKey": "Test.123",
    "OpenApi__AuthLevel__Document": "Function",
    "OpenApi__AuthLevel__UI": "Function"
  }
}

Go to mysite.com/api/swagger/ui?code=Test.123 --> 401 Error

Go to mysite.com/api/swagger/ui with request header x-functions-key: Test.123 --> 401 Error

Expected behavior The swagger page is secured now. But I should be able to see the page with my given key. It is not clear how I do that.

Screenshots image

Environment (please complete the following information, if applicable):

nguyenlamlll commented 2 years ago

Another note... If I edit my settings file like the example code block:

    "OpenApi__ApiKey": "Test.123",
    "OpenApi__AuthLevel__Document": "Function",
    "OpenApi__AuthLevel__UI": "Function"

Note that, ApiKey, not AuthKey. Then the Swagger UI is still public.

tgrandgent commented 2 years ago

The documentation for this seems to be incorrect.

If you want to secure /api/swagger/ui with a function key, you need to pass a function key set on the RenderSwaggerUI function when accessing it. Setting OpenApi__ApiKey doesn't help with this. And the same function key had better be set on the RenderSwaggerDocument and/or RenderOpenApiDocument functions too.

Function keys can be set/get via the Azure Portal, but it's difficult with these functions because they're not listed in the list of functions for the application for some reason. I had to select one of the functions in my app that does show up and then edit the Azure Portal page URL to change the function name to one of the hidden functions. Then I was able to set a function key for it. After I did this for each hidden function, I was able to use /api/swagger/ui?code=function_key successfully on Azure. If you do it this way, there's no need to set OpenApi__ApiKey as it will use the value from the code query string parameter.