search

javalin / javalin-openapi

Annotation processor for compile-time OpenAPI & JsonSchema, with out-of-the-box support for Javalin 5.x, Swagger & ReDoc
https://github.com/javalin/javalin-openapi/wiki
Apache License 2.0
45 stars 17 forks source link

OpenAPI SecuritySchemes #201

Closed franck-malka closed 11 months ago

franck-malka commented 1 year ago

What's the correct way to have the securityscheme included in the generated swagger?

dzikoysk commented 1 year ago

Currently, the security scheme section can be configured via OpenApiPluginConfiguration. Take a look at the example module:

https://github.com/javalin/javalin-openapi/blob/4b8188a74650d62a8438edf3e9d3b7af0a2592cc/examples/javalin-gradle-kotlin/src/main/java/io/javalin/openapi/plugin/test/JavalinTest.java#L108-L125

franck-malka commented 1 year ago

Yes, this I understand. But I think it should be reflected on the swagger JSON file and I believe it's not.

Franck.

On Mon, 4 Sept 2023, 18:36 dzikoysk, @.***> wrote:

Currently, the security scheme section can be configured via OpenApiPluginConfiguration, take a look at the example module:

https://github.com/javalin/javalin-openapi/blob/4b8188a74650d62a8438edf3e9d3b7af0a2592cc/examples/javalin-gradle-kotlin/src/main/java/io/javalin/openapi/plugin/test/JavalinTest.java#L108-L125

— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705458540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPV3EU6O6L2D7GEKRWDXYXYRDANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>

dzikoysk commented 1 year ago

I think I need more information, because the example works properly. When you'll visit the OpenApi scheme, the following properties are added to the scheme & Swagger UI picks them up.

Could you provide an example with highlighted difference between generated scheme and expected result?

franck-malka commented 1 year ago

Let's say for example,i use this code .withSecurity(new SecurityComponentConfiguration() .withSecurityScheme("OAuth2", new OAuth2 ("This API uses OAuth 2 with the implicit grant flow.") .withFlow(new ImplicitFlow(" https://api.example.com/oauth2/authorize") .withScope("read_pets", "read your pets") .withScope("write_pets", "modify pets in your account") ) .withFlow(new ClientCredentials(" https://api.example.com/credentials/authorize")) ) .withGlobalSecurity(new Security("OAuth2") .withScope("write_pets") .withScope("read_pets")) ));

then the swagger UI looks fine [image: image.png]

but the swagger.json looks like this:

===================

{ "openapi" : "3.0.3", "info" : { "title" : "CAPIF Core Function", "description" : "3GPP TS 29.222 V18.0.0 Common API Framework for 3GPP Northbound APIs", "contact" : { "name" : "Slicce", "url" : "https://www.slicce.co/api-terms-of-service", "email" : @.***" }, "version" : "1.1.5" }, "paths" : { "/api-invovation-logs/v1/{aefId}/logs" : {

....

"security" : [ ]

}

}

=========================

and I was expecting something like this:

=========================

{ "openapi" : "3.0.3", "info" : { "title" : "CAPIF Core Function", "description" : "3GPP TS 29.222 V18.0.0 Common API Framework for 3GPP Northbound APIs", "contact" : { "name" : "Slicce", "url" : "https://www.slicce.co/api-terms-of-service", "email" : @.***" }, "version" : "1.1.5" },

"security" [

{},

  {
    "oAuth2ClientCredentials": [
      "client_id"
    ]
  }

], "paths" : { "/api-invovation-logs/v1/{aefId}/logs" : {

....

I think some clients don't like the fact that the security section is missing.

-Franck.

On Mon, Sep 4, 2023 at 6:45 PM dzikoysk @.***> wrote:

I think I need more information, because the example works properly. When you'll visit the OpenApi scheme, the following properties are added to the scheme & Swagger UI picks them up.

Could you provide an example with highlighted difference between generated scheme and expected result?

— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705468176, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPRWBQ2QZTVMCTCWMDDXYXZQVANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>

dzikoysk commented 1 year ago

The code you gave:

.withSecurity(new SecurityComponentConfiguration()
  .withSecurityScheme("OAuth2", new OAuth2("This API uses OAuth 2 with the implicit grant flow.")
      .withFlow(new ImplicitFlow("https://api.example.com/oauth2/authorize")
      .withScope("read_pets", "read your pets")
      .withScope("write_pets", "modify pets in your account")
  )
  .withFlow(new ClientCredentials("https://api.example.com/credentials/authorize"))
)
.withGlobalSecurity(new Security("OAuth2")
  .withScope("write_pets")
  .withScope("read_pets"))
)

Produces valid scheme:

obraz

Make sure that you use the latest version of OpenAPI plugin & annotation processor runs on updated sources (clean package / clean build)

franck-malka commented 1 year ago

I use version 5.6.2-2 and I get an empty security object after clean + package

On Tue, Sep 5, 2023 at 12:17 AM dzikoysk @.***> wrote:

The code you gave:

.withSecurity(new SecurityComponentConfiguration() .withSecurityScheme("OAuth2", new OAuth2("This API uses OAuth 2 with the implicit grant flow.") .withFlow(new ImplicitFlow("https://api.example.com/oauth2/authorize") .withScope("read_pets", "read your pets") .withScope("write_pets", "modify pets in your account") ) .withFlow(new ClientCredentials("https://api.example.com/credentials/authorize")) ) .withGlobalSecurity(new Security("OAuth2") .withScope("write_pets") .withScope("read_pets")) )

Produces valid scheme:

[image: obraz] https://user-images.githubusercontent.com/4235722/265541578-52f4c5d7-2806-4c86-a01a-aabdcec3587d.png

Make sure that you use the latest version of OpenAPI plugin & annotation processor runs on updated sources (clean package / clean build)

— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1705705562, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPX5MMDQWKYDQ43GQ43XYZAOVANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>

dzikoysk commented 1 year ago

Could you prepare a small example repository that I can clone & run to reproduce your issue?

franck-malka commented 11 months ago

I understand, i am just missing the security fields in the controller class annotations I found this example security = { @OpenApiSecurity(name = "BasicAuth") } is there a doc for oAuth2.0 specific annotations?

-Franck.

On Tue, Sep 5, 2023 at 2:36 PM dzikoysk @.***> wrote:

Could you prepare a small example repository that I can clone & run to reproduce your issue?

— Reply to this email directly, view it on GitHub https://github.com/javalin/javalin-openapi/issues/201#issuecomment-1706450996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMPYYPSXA4ZZ637LFCKFKTDXY4FCRANCNFSM6AAAAAA4KMG5GY . You are receiving this because you authored the thread.Message ID: @.***>

dzikoysk commented 11 months ago

For configuration:

For annotations:

That's basically all we have, and it reflects 1:1 the OpenAPI specification, so that's the best source of truth there.