Closed kryzthov closed 6 years ago
When I specify multiple issuer/audience requirements on an API/method, eg. as in :
@endpoints.api( name='greeting', version='v1', issuers={ 'shell_service_account': ServiceAccountIssuer(SHELL_SERVICE_ACCOUNT), 'default_service_account': ServiceAccountIssuer(DEFAULT_SERVICE_ACCOUNT), }, audiences={ 'shell_service_account': [AUDIENCE], 'default_service_account': [AUDIENCE], }, ) class GreetingApi(remote.Service): ...
the generated OpenAPI spec requires all issuers at once, which sounds incorrect:
"security": [ { "default_service_account-9a49f844": [], "shell_service_account-9a49f844": [] } ]
Instead, I would expect the security requirement to be an OR of each individual issuer/audience requirement:
"security": [ { "default_service_account-9a49f844": [] }, { "shell_service_account-9a49f844": [] } ]
When I specify multiple issuer/audience requirements on an API/method, eg. as in :
the generated OpenAPI spec requires all issuers at once, which sounds incorrect:
Instead, I would expect the security requirement to be an OR of each individual issuer/audience requirement: