[REQ] Spring Server generators should allow for adding OAuth2 Preauthorize annotations based on scope

OpenAPITools / openapi-generator

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec (v2, v3)

https://openapi-generator.tech

Apache License 2.0

21.81k stars 6.58k forks source link

[REQ] Spring Server generators should allow for adding OAuth2 Preauthorize annotations based on scope #1975

Open mikezx6r opened 5 years ago

mikezx6r commented 5 years ago

Using OAuth JWT scopes and Spring Security's PreAuthorize annotation requires the PreAuthorize annotation to be on the same method as the Mapping related annotation.

With the current generators (Java/Kotlin), the Mapping annotation is in generated code, so manually adding the PreAuthorize annotation can't be done without modifying generated code.

It would be good if the generator had a flag for Spring Security, and would then leverage the OAuth2 security settings to add @PreAuthorize() annotations to the Controller class methods with the Mapping related annotations.

This is dependent on #392 being corrected first.

mikezx6r commented 5 years ago

As this will target the Java and Kotlin Spring generators, I'd appreciate any thoughts or feedback you have on this. I think adding a new config property 'use.spring.security.oauth' which would add the appropriate @PreAuthorize("hasAuthority('SCOPE_read:pets')") annotation alongside the @Mapping annotation on the interface/controller method/function would be the way to go.

I will also look at the generated build.gradle/pom.xml file to ensure that if required, the appropriate spring security dependencies are brought in.

@jimschubert, @dr4ke616, @bbdouglas, @JFCote, @sreeshas, @jfiala, @lukoyanov, @cbornet, @jeff9finger

Let me know if I haven't explained things sufficiently.

epochcoder commented 4 years ago

@mikezx6r Did you find a way to do this yet? since adding @PreAuthorize on the implemented controller seems to make spring not pick up the controller at all.

mikezx6r commented 4 years ago

It's been a long time since I've even thought about this. I believe the @PreAuthorize needs to be with the @Mapping, and that's on the interface. So yes, it won't work if you put it on the Controller.

But at the moment, I'm not using this project (not writing REST Services, doing other work)

huehnerlady commented 4 years ago

Hi, in my opinion this pull request #6358 should NOT close the issue about the oauth2 as it is not fixing the kotlin-spring and this is referenced here as well.

Also happy to create a seperate issue for the kotlin-spring if that is requestes

ghost commented 3 years ago

Hi there.

There is quite sometime since last comment on this issue? Any progress on this?

netaravind commented 3 years ago

@epochcoder I tried with having the @preAuthorize on a controller implementation and all the Spring mvc mappings on an interface and this one has worked like a charm. BTW, I have used Spring mvc 5.3.6 and Spring boot started security 2.4.5. Can you explain your scenario to understand better?

JeanRouillier commented 2 years ago

Hello team,

Just for clarification, does this mean that when you specify a endpoint with scope restrictions. The generated interface has all @AuthorizationScope associated to scopes described on the openapi. BUT there is no links to some spring security @PreAuthorize("#xx.hasScope('MY_SCOPE')").

Or may be I missed something.