Closed franck-malka closed 11 months ago
Currently, the security scheme section can be configured via OpenApiPluginConfiguration
. Take a look at the example module:
Yes, this I understand. But I think it should be reflected on the swagger JSON file and I believe it's not.
Franck.
On Mon, 4 Sept 2023, 18:36 dzikoysk, @.***> wrote:
Currently, the security scheme section can be configured via OpenApiPluginConfiguration, take a look at the example module:
— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705458540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPV3EU6O6L2D7GEKRWDXYXYRDANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>
I think I need more information, because the example works properly. When you'll visit the OpenApi scheme, the following properties are added to the scheme & Swagger UI picks them up.
Could you provide an example with highlighted difference between generated scheme and expected result?
Let's say for example,i use this code .withSecurity(new SecurityComponentConfiguration() .withSecurityScheme("OAuth2", new OAuth2 ("This API uses OAuth 2 with the implicit grant flow.") .withFlow(new ImplicitFlow(" https://api.example.com/oauth2/authorize") .withScope("read_pets", "read your pets") .withScope("write_pets", "modify pets in your account") ) .withFlow(new ClientCredentials(" https://api.example.com/credentials/authorize")) ) .withGlobalSecurity(new Security("OAuth2") .withScope("write_pets") .withScope("read_pets")) ));
then the swagger UI looks fine [image: image.png]
but the swagger.json looks like this:
===================
{ "openapi" : "3.0.3", "info" : { "title" : "CAPIF Core Function", "description" : "3GPP TS 29.222 V18.0.0 Common API Framework for 3GPP Northbound APIs", "contact" : { "name" : "Slicce", "url" : "https://www.slicce.co/api-terms-of-service", "email" : @.***" }, "version" : "1.1.5" }, "paths" : { "/api-invovation-logs/v1/{aefId}/logs" : {
....
"security" : [ ]
}
}
=========================
and I was expecting something like this:
=========================
{ "openapi" : "3.0.3", "info" : { "title" : "CAPIF Core Function", "description" : "3GPP TS 29.222 V18.0.0 Common API Framework for 3GPP Northbound APIs", "contact" : { "name" : "Slicce", "url" : "https://www.slicce.co/api-terms-of-service", "email" : @.***" }, "version" : "1.1.5" },
"security" [
{},
{
"oAuth2ClientCredentials": [
"client_id"
]
}
], "paths" : { "/api-invovation-logs/v1/{aefId}/logs" : {
....
I think some clients don't like the fact that the security section is missing.
-Franck.
On Mon, Sep 4, 2023 at 6:45 PM dzikoysk @.***> wrote:
I think I need more information, because the example works properly. When you'll visit the OpenApi scheme, the following properties are added to the scheme & Swagger UI picks them up.
Could you provide an example with highlighted difference between generated scheme and expected result?
— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705468176, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPRWBQ2QZTVMCTCWMDDXYXZQVANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>
The code you gave:
.withSecurity(new SecurityComponentConfiguration()
.withSecurityScheme("OAuth2", new OAuth2("This API uses OAuth 2 with the implicit grant flow.")
.withFlow(new ImplicitFlow("https://api.example.com/oauth2/authorize")
.withScope("read_pets", "read your pets")
.withScope("write_pets", "modify pets in your account")
)
.withFlow(new ClientCredentials("https://api.example.com/credentials/authorize"))
)
.withGlobalSecurity(new Security("OAuth2")
.withScope("write_pets")
.withScope("read_pets"))
)
Produces valid scheme:
Make sure that you use the latest version of OpenAPI plugin & annotation processor runs on updated sources (clean package
/ clean build
)
I use version 5.6.2-2 and I get an empty security object after clean + package
On Tue, Sep 5, 2023 at 12:17 AM dzikoysk @.***> wrote:
The code you gave:
.withSecurity(new SecurityComponentConfiguration() .withSecurityScheme("OAuth2", new OAuth2("This API uses OAuth 2 with the implicit grant flow.") .withFlow(new ImplicitFlow("https://api.example.com/oauth2/authorize") .withScope("read_pets", "read your pets") .withScope("write_pets", "modify pets in your account") ) .withFlow(new ClientCredentials("https://api.example.com/credentials/authorize")) ) .withGlobalSecurity(new Security("OAuth2") .withScope("write_pets") .withScope("read_pets")) )
Produces valid scheme:
[image: obraz] https://user-images.githubusercontent.com/4235722/265541578-52f4c5d7-2806-4c86-a01a-aabdcec3587d.png
Make sure that you use the latest version of OpenAPI plugin & annotation processor runs on updated sources (clean package / clean build)
— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705705562, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPX5MMDQWKYDQ43GQ43XYZAOVANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>
Could you prepare a small example repository that I can clone & run to reproduce your issue?
I understand, i am just missing the security fields in the controller class annotations I found this example security = { @OpenApiSecurity(name = "BasicAuth") } is there a doc for oAuth2.0 specific annotations?
-Franck.
On Tue, Sep 5, 2023 at 2:36 PM dzikoysk @.***> wrote:
Could you prepare a small example repository that I can clone & run to reproduce your issue?
— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1706450996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPSXA4ZZ637LFCKFKTDXY4FCRANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>
For configuration:
For annotations:
That's basically all we have, and it reflects 1:1 the OpenAPI specification, so that's the best source of truth there.
What's the correct way to have the securityscheme included in the generated swagger?