Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow optional Authorizations #14

Closed
jacobweber opened this issue Mar 23, 2014 · 22 comments
Closed

Allow optional Authorizations #14

jacobweber opened this issue Mar 23, 2014 · 22 comments

Comments

@jacobweber
Copy link

This is an enhancement request, to allow optional authorizations. Not sure if this would be useful for others, but it would be for me.

In my case, you can access my APIs with no authorization, with OAuth, or with a set of two API keys. Depending on which you use, I may give you access to different data, but you still use the same APIs.

One way to handle this would be to allow a "required" boolean for each authorization in the API's Authorizations object.

If you did this, I could mark both of my oauth2 and apiKey authorizations as optional, which would allow you to select either or none of them. (It would also allow you to select both, but that's not really a problem.)

My case is also complicated by the fact that I need two parameters for my API key. If you wanted to treat this as a single Authorization, you'd have to allow multiple keynames for an apiKey. You could also treat it as two separate Authorizations, and just make them both optional. That's not ideal, since it wouldn't give you a way to indicate that they go together, but it would work.

fehguy added a commit that referenced this issue Sep 8, 2014
@webron
Copy link
Member

webron commented Oct 14, 2014

@jacobweber - in 2.0 you can specify several possible security requirements, and each of them can include multiple schemes.

So if you declare schema A, B and C you can have something like ( (A AND B) OR C ).
Does that meet your proposal?

@jacobweber
Copy link
Author

Sounds like it would. Is that documented here? I couldn't quite find what you describe, although I haven't read it too closely yet.

@webron
Copy link
Member

webron commented Oct 14, 2014

Yes. It is spread about several locations though. Perhaps I should create a section that clarifies it.
Check out the documentation for https://github.com/wordnik/swagger-spec/blob/master/versions/2.0.md#swaggerSecurity and for https://github.com/wordnik/swagger-spec/blob/master/versions/2.0.md#securityRequirementObject.

@jacobweber
Copy link
Author

Will do, thanks. Yeah, an example would probably be helpful.

@webron
Copy link
Member

webron commented Oct 14, 2014

Yeah, I need to add samples throughout the document (as you can obviously see). I was waiting to finalize the security part of it.

If you manage to read through it and see that it fits this issue, please close it.

@wking
Copy link

wking commented Dec 6, 2014

There are some examples already in swagger-spec/fixtures/v2.0/json/resources/securityExample.json:

What I think is missing is a “no security” option in securityDefinitions. Then you could have:

"security": {
  {"none": []},
  {"oauth": […]},
  {"token-1": []},
  {"token-2": []}
},
"securityDefinitions": {
  "none": {"type": "none", "description": "Publicly accessible (no authentication needed)."},
  "oauth": {…},
  "token-1": {…},
  "token-2": {…}
}

wking added a commit to azurestandard/api-spec that referenced this issue Dec 6, 2014
Explaining that all the currently-spec'ed endpoints that require auth
can be accessed via either basic auth or a session cookie.

Most of the secured endpoints will also return a subset of information
for unathenticated requests.  Unfortunately, there doesn't seem to be
a way to specify this in Swagger at the moment [1].

At the moment, the only unsecured endpoints are:

* GET /categories
* GET /category/{id}

[1]: OAI/OpenAPI-Specification#14 (comment)
@webron
Copy link
Member

webron commented Mar 27, 2016

This is an old ticket, and I believe the samples have been added to the spec.

@webron webron closed this as completed Mar 27, 2016
@rkarodia
Copy link

I still can't find an example of a "no security" option. Something like the {"none": []} example proposed by @wking

@mikestead
Copy link

@webron Also in need of a none security definition so when a token isn't provided responses are restricted to public content. Otherwise I need two endpoints for pretty much the same thing.

Should I raise a new ticket for this?

@webron
Copy link
Member

webron commented May 19, 2016

@mikestead yup

@rorisme
Copy link

rorisme commented Aug 20, 2016

+1 Also in need of none security definition. @mikestead would you please copy a reference to the new ticket here when you create it?

@elzii
Copy link

elzii commented Apr 4, 2017

Was this functionality ever added? The ability to do as @rkarodia and @mikestead described with "no security" defaulting to public content is very needed

@rompic
Copy link

rompic commented Apr 26, 2017

same question here :)

@webron
Copy link
Member

webron commented Apr 26, 2017

Everyone, you don't need a none definition. The following has the same effect:

"security": [
  {},
  {"oauth": []},
  {"token-1": []},
  {"token-2": []}
]

@rompic
Copy link

rompic commented Apr 27, 2017

Thx for the fast feedback. Will look into It.

@iongion
Copy link

iongion commented Jun 3, 2017

But the swagger validator says the spec is not valid anymore ?
How do you solve this in the end ?

@webron
Copy link
Member

webron commented Jun 5, 2017

@iongion if it says it's invalid, then file a ticket on that project.

@BGehrels
Copy link

BGehrels commented Feb 21, 2018

Has this feature been somehow lost in 3.0? I want to specify an API, that can be called with and without auth and will return slightly different results depending on that.

@darrelmiller
Copy link
Member

@BGehrels I am not aware of any conversations in the work on the V3 spec to change this behavior. I don't think this option was very clearly spelled out in the V2 spec and we didn't do a better job in the V3 spec. We definitely should fix that.

@BGehrels
Copy link

Since this issue targets 2.0 and is closed, should i open a seperate issue for that?
This issue is one of the first hits when one searches for "openapi optional auth", so it may be a good idea to leave a hint here how to accomplish this in the meantime. I would do it, but i still have no idea :-)

@JohannesKuehnel
Copy link

JohannesKuehnel commented Nov 8, 2019

In case someone is needing optional authorization for Swagger 2.0 and YAML files, this format worked for me: security: [ {}, JwtAuth: []] (where JwtAuth is in my securityDefinitions).

I tried several other variants but this was the only one that worked with swagger-codegen-cli (Java okhttp-gson), swagger-express-middleware for Node.js and validation with swagger-cli.

wiese added a commit to wmde/wikibase-rest-api-proposal that referenced this issue Sep 21, 2020
Auth was added in c077573. Most/All our endpoints are available without
authentication (but some records may be protected) - let's make it
explicit that unauthenticated use is legitimate.

As far as I can tell this has no impact in swagger ui, though.

See
OAI/OpenAPI-Specification#14
wiese added a commit to wmde/wikibase-rest-api-proposal that referenced this issue Sep 22, 2020
Auth was added in c077573. Most/All our endpoints are available without
authentication (but some records may be protected) - let's make it
explicit that unauthenticated use is legitimate.

As far as I can tell this has no impact in swagger ui, though.

See
OAI/OpenAPI-Specification#14
itamargiv pushed a commit to wmde/wikibase-rest-api-proposal that referenced this issue Sep 22, 2020
* Add basic description to global API meta information

* make it explicit that auth is optional

Auth was added in c077573. Most/All our endpoints are available without
authentication (but some records may be protected) - let's make it
explicit that unauthenticated use is legitimate.

As far as I can tell this has no impact in swagger ui, though.

See
OAI/OpenAPI-Specification#14
@jpincz
Copy link

jpincz commented Sep 25, 2022

This works for me on version 3 with express node js

Added this on .yaml file:

security:
  - ApiKey: ['someScope']
  - {}

So the endpoint defined by that file accepts both ApiKey (defined on my security schema file) or non-authenticated requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests