Closed mooreds closed 9 months ago
How does this work in practice? How does the spec for a particular endpoint such as /api/jwt/validate
know it can take a header such as Authorization: Bearer <jwt>
?
Edit Maybe this PR will tell me?
We add in the bearer scheme as defined here:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
And then we mark the applicable endpoints as accepting that security scheme:
security:
- BearerAuth: []
Happy to walk you through this, but it is all derived from the API json docs in this repo.
Ah, I see. We are just making the assumption that the .json
API definition will use this exact string for the authorization
property "\"Bearer \" + encodedJWT"
.
So if we write an API that uses the parameter name of token
instead of encodedJWT
this would not work. It does look like we assume this parameter name in a few other places in our builders, but still - we could choose to change it and it shouldn't functionally change the API.
Can we just simplify this to say we default to API auth which is essentially a schema-less Authorization
header, and then if the authorization
property in the API definition begins with Bearer
we assume a Bearer auth header.
So functionally, it would just be changing if json["authorization"] == '"Bearer " + encodedJWT'
to if json["authorization"].index("Bearer ") == 0
- or whatever the ruby syntax is for starts with.
Would that work?
So functionally, it would just be changing if json["authorization"] == '"Bearer " + encodedJWT' to if json["authorization"].index("Bearer ") == 0 - or whatever the ruby syntax is for starts with.
Yes, that will definitely work, will get that change made.
@robotdan this is updated and ready for re-review.
This scheme provides a JWT to an otherwise anonymous API call. There are about 5-6 different API methods that use this.
This first surfaced here: https://github.com/FusionAuth/fusionauth-issues/issues/2599
I also did some cleanup and use proper constants for the various security schemes.