thomasjetzinger
commented
1 year ago @NozzerFX
Have you already resovled the issue?
The security tag in my open-api.json is always empty:
I've also checked the code and I was not able to find any place where endpointOperation.security gets set to the name of the security schema.
We are able to indicate the authorization model used by the API through setting the
@apiSecuritydecorator against an IAuthFilter implementation. If we set this to bearer token JWT, rendering the Open API spec in Swagger UI shows bearer token JWT as an option under the authorize button as expected.The problem arises when calling API endpoints from the Swagger UI. Any endpoint called does not get passed an Authorization header with the JWT token set. Upon further investigation, Swagger UI appers to determine whether an endpoint requires authorization based on a
Securityattribute on the API Operation details. This attribute is not set against any endpoint even when@rolesAllowed()decorator is applied against a controller method. It seems to only get set when using the@noAuthdecorator against a controller method, which essentially specifies the endpoint should not have the token explicitly.Some further testing indicates that when you explicitly set the
Securityattribute in the Open API spec, the Swagger UI shows a padlock against the endpoint indicating it requires authorization. So far I haven't been able to get a fully working implementation, but it appears it expects this attribute to be set in order to send the bearer token as part of the request. This would mean taking the@rolesAllowed()decorator and using that to specify the permissions against the auth type assigned to theSecurityattribute. I'm still not sure how we would handle an endpoint without the@noAuthor@rolesAlloweddecorators; but it seems something is required.Has anyone else stumbled across this or have more knowledge on the subject? Am I possibly just missing a detail here to get it working with the existing code base?