search

cloudendpoints / endpoints-python

A Python framework for building RESTful APIs on Google App Engine
Apache License 2.0
51 stars 17 forks source link

Specifying multiple issuers should generate OR'ed security requirements #100

Closed kryzthov closed 6 years ago

kryzthov commented 6 years ago

When I specify multiple issuer/audience requirements on an API/method, eg. as in :

@endpoints.api(
    name='greeting',
    version='v1',
    issuers={
        'shell_service_account': ServiceAccountIssuer(SHELL_SERVICE_ACCOUNT),
        'default_service_account': ServiceAccountIssuer(DEFAULT_SERVICE_ACCOUNT),
    },
    audiences={
        'shell_service_account': [AUDIENCE],
        'default_service_account': [AUDIENCE],
    },
)
class GreetingApi(remote.Service):
    ...

the generated OpenAPI spec requires all issuers at once, which sounds incorrect:

        "security": [
          {
            "default_service_account-9a49f844": [],
            "shell_service_account-9a49f844": []
          }
        ]

Instead, I would expect the security requirement to be an OR of each individual issuer/audience requirement:

        "security": [
          {
            "default_service_account-9a49f844": []
          },
          {
            "shell_service_account-9a49f844": []
          }
        ]