Scope verification doesnot work with two or more securitySchemes

[stevehu]

While working with UK OpenBanking Account API, it has two securitySchemes defined as below.

  securitySchemes:
    TPPOAuth2Security:
      type: oauth2
      description: TPP client credential authorisation flow with the ASPSP
      flows:
        clientCredentials:
          tokenUrl: 'https://authserver.example/token'
          scopes:
            accounts: Ability to read Accounts information
    PSUOAuth2Security:
      type: oauth2
      description: >-
        OAuth flow, it is required when the PSU needs to perform SCA with the
        ASPSP when a TPP wants to access an ASPSP resource owned by the PSU
      flows:
        authorizationCode:
          authorizationUrl: 'https://authserver.example/authorization'
          tokenUrl: 'https://authserver.example/token'
          scopes:
            accounts: Ability to read Accounts information

The OpenAPIHelper implementation assumes that there is only one securityScheme available in the spec and it works well until now. As you know, we are loading the openapi.yaml at runtime to verify the scopes based on the specification and we are using the scheme name to lookup the scopes. With the above spec, if PSUOauth2Security is used, we cannot get the scopes and scope verification fails. To fix it, we need to allow multiple schemes in the spec and put them into an array list. When lookup the scopes, we need to iterate all the schemes in the array to find the scopes.

[stevehu]

The error message from the log file.

accounts_1  | 20:51:18.156 [XNIO-1 task-1]  KV5jH6VfSAyEfp9BCGbi6Q ERROR c.n.exception.ExceptionHandler handleRequest - Exception:
accounts_1  | java.lang.NullPointerException: null
accounts_1  |   at com.networknt.openapi.JwtVerifyHandler.handleRequest(JwtVerifyHandler.java:161)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:208)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:229)
accounts_1  |   at com.networknt.openapi.OpenApiHandler.handleRequest(OpenApiHandler.java:108)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:208)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:229)
accounts_1  |   at com.networknt.correlation.CorrelationHandler.handleRequest(CorrelationHandler.java:77)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:208)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:229)
accounts_1  |   at com.networknt.traceability.TraceabilityHandler.handleRequest(TraceabilityHandler.java:66)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:208)
accounts_1  |   at com.networknt.handler.Handler.next(Handler.java:229)
accounts_1  |   at com.networknt.exception.ExceptionHandler.handleRequest(ExceptionHandler.java:76)
accounts_1  |   at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
accounts_1  |   at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
accounts_1  |   at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
accounts_1  |   at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019)
accounts_1  |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558)
accounts_1  |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449)
accounts_1  |   at java.base/java.lang.Thread.run(Unknown Source)

[stevehu]

Scope verification doesnot work with two or more securitySchemes light-rest-4j master

[stevehu]

Scope verification doesnot work with two or more securitySchemes light-rest-4j 1.6.x