search

FusionAuth / fusionauth-client-builder

The FusionAuth client library builder
https://fusionauth.io/
Apache License 2.0
6 stars 24 forks source link

Support JWT bearer scheme #73

Closed mooreds closed 9 months ago

mooreds commented 9 months ago

This scheme provides a JWT to an otherwise anonymous API call. There are about 5-6 different API methods that use this.

This first surfaced here: https://github.com/FusionAuth/fusionauth-issues/issues/2599

I also did some cleanup and use proper constants for the various security schemes.

robotdan commented 9 months ago

How does this work in practice? How does the spec for a particular endpoint such as /api/jwt/validate know it can take a header such as Authorization: Bearer <jwt>?

Edit Maybe this PR will tell me?

mooreds commented 9 months ago

We add in the bearer scheme as defined here:

    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

And then we mark the applicable endpoints as accepting that security scheme: 

      security:
      - BearerAuth: []

Happy to walk you through this, but it is all derived from the API json docs in this repo.

robotdan commented 9 months ago

Ah, I see. We are just making the assumption that the .json API definition will use this exact string for the authorization property "\"Bearer \" + encodedJWT".

So if we write an API that uses the parameter name of token instead of encodedJWT this would not work. It does look like we assume this parameter name in a few other places in our builders, but still - we could choose to change it and it shouldn't functionally change the API.

Can we just simplify this to say we default to API auth which is essentially a schema-less Authorization header, and then if the authorization property in the API definition begins with Bearer we assume a Bearer auth header.

So functionally, it would just be changing if json["authorization"] == '"Bearer " + encodedJWT' to if json["authorization"].index("Bearer ") == 0 - or whatever the ruby syntax is for starts with.

Would that work?

mooreds commented 9 months ago

So functionally, it would just be changing if json["authorization"] == '"Bearer " + encodedJWT' to if json["authorization"].index("Bearer ") == 0 - or whatever the ruby syntax is for starts with.

Yes, that will definitely work, will get that change made.

mooreds commented 9 months ago

@robotdan this is updated and ready for re-review.