Closed borisirota closed 9 years ago
wcandillon
commented
9 years ago @borisirota I order to efficiently solve this issue, could you send me a concrete use case (swagger file + operation(s) to be invoked)? So we can test the scenario from end to end. Unfortunately on our side we are still using swagger 1.0.
borisirota
commented
9 years ago The following example expects the request to contain the authorization header only on the /secure_user path (getUserSecure). This header has no affect on the /user path (getUser):
swagger: '2.0'
info:
version: "0.0.0"
title: <enter your title>
securityDefinitions:
oauth2:
type: oauth2
scopes:
read: "allow read"
flow: password
tokenUrl: http://localhost:3001/auth/token
paths:
/user:
get:
description: Get user
operationId: getUser
responses:
200:
description: User returned
schema:
type: object
properties:
name:
type: string
404:
description: User not found
/secure_user:
get:
description: Get user
operationId: getUserSecure
security:
- oauth2:
- "read"
responses:
200:
description: User returned
schema:
type: object
properties:
name:
type: string
404:
description: User not foundI hope it helps :)
borisirota
commented
9 years ago In JSON:
{
"swagger": "2.0",
"info": {
"version": "0.0.0",
"title": "<enter your title>"
},
"securityDefinitions": {
"oauth2": {
"type": "oauth2",
"scopes": {
"read": "allow read"
},
"flow": "password",
"tokenUrl": "http://localhost:3001/auth/token"
}
},
"paths": {
"/user": {
"get": {
"description": "Get user",
"operationId": "getUser",
"responses": {
"200": {
"description": "User returned",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
},
"404": {
"description": "User not found"
}
}
}
},
"/secure_user": {
"get": {
"description": "Get user",
"operationId": "getUserSecure",
"security": [
{
"oauth2": [
"read"
]
}
],
"responses": {
"200": {
"description": "User returned",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
},
"404": {
"description": "User not found"
}
}
}
}
}
}Hi Boris,
Would you like to submit a PR regarding this?
borisirota
commented
9 years ago @wcandillon already commented here. About your question, I will. It will take me some time to get to this one though. Any ideas about the best way to inject the token?
Hi,
The swagger spec supports Security Definitions Object and allows to authenticated specific paths while adding them the
securityproperty to a path:I think that as a starting point, adding the requested header to paths that contains the security property will be great (because support for more robust mechanism which takes into account not only the oauth2 flow but the api-key flow as well will take time).
Not quite sure though what is the best way to inject the token (which can be changed dynamically). Maybe register on some event from the rootScope that the user will have to call on token change?
Thanks, Boris