search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.67k stars 8.97k forks source link

Logical OR for OAuth2 security scheme is not displayed correctly in authorization #10124

Open KristinaB162 opened 2 months ago

KristinaB162 commented 2 months ago

Q&A

Content & configuration

Example Swagger/OpenAPI definition, relying on your example:

security: 
  - oAuth2: 
    - read_write_pets
    - read_pets
paths:
  /pets:
    get:
      summary: Get all pets
      security: 
        - oAuth2: 
          - read_write_pets
        - oAuth2:
          - read_pets

Describe the bug you're encountering

As described here https://github.com/OAI/OpenAPI-Specification/discussions/3001, scopes can be expressed in different ways to illustrate logical relationships in an OpenApi Spec.

In the example yaml, the get-request is now implemented with the logical OR of the OpenAPI specification. This means that read or read-write authorization is required. In the Swagger UI, only the first specified scope is then visible when authorizing for the given path.

To reproduce...

Steps to reproduce the behavior:

  1. Create a path in a yaml file with a security scheme that has two logical scopes ORed together
  2. Open the file in a swagger UI
  3. Click on the open lock for this modified path
  4. See that there is only one scope (the first one)

Expected behavior

The expectation here is that both scopes are visible and that they are linked with a logical OR. This means that I do not necessarily need both to use this path.