Skip to content

Trying to introspect openapi security schemes #6915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Trying to introspect openapi security schemes #6915

wants to merge 1 commit into from

Conversation

ysavary
Copy link
Contributor

@ysavary ysavary commented Sep 5, 2019
edited
Loading

Hello,

I noticed that the generation of openapi schema is not managing authentication. It seems also that openapi schema contains only the views that the current user is allowed to use. Why not list all the endpoints and add try to introspect the openapi security and 'securitySchemes'. Then an openapi client (for example Swagger) will give the opportunity to the user to login with the related security scheme.

What do you think?

(This PR was helping me to understand how it's work: it's not ready to merge!)

@n2ygk
Copy link
Contributor

n2ygk commented Sep 5, 2019

I have some code that can do this. I had implemented it in a PR (WIP) for DJA but pulled it with the intention of refactoring and submitting it here, where it belongs. It would be great if you took a look, back-ported to DRF and improved it. See https://github.com/n2ygk/drf-openapi-auth-schema.

It is currently missing session cookie stuff but has basicAuth and oauth2 and actually works with a DJA backend and OAS 3.0 tools like swagger-UI.

This generates both security objects for each path/method but also securitySchemes:

paths:
  /widgets/:
    get:
      security:
      - basicAuth: []
      - oauth:
        - openid
        - read
      - oauth:
        - rando
        - read
...
components:
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic
    oauth:
      type: oauth2
      description: oauth2.0 service
      flows:
        authorizationCode:
          authorizationUrl: https://oauth.example.com/authorization
          tokenUrl: https://oauth.example.com/token
          refreshUrl: https://oauth.example.come/token
          scopes:
            address: address
            read: read
            openid: openid
            profile: profile
            update: update
            delete: delete
            create: create
            email: email
            rando: rando

...

Feel free to use/toss out as you see fit.

@adriankrupa
Copy link

@tomchristie @rpkilby Any thoughts on this topic? Is this the right direction? Right now it is hard to use swagger-ui with secured endpoints.

@rpkilby
Copy link
Member

rpkilby commented Dec 11, 2019

Hi @adriankrupa. OpenAPI/schemas are more @carltongibson's wheelhouse. I might review basic code quality, but I can't really review the substance of this PR.

@carltongibson
Copy link
Collaborator

This PR as it stands isn't close. (Adding an authentication class, no tests, etc) (Also probably the wrong strategy, but...) I'm going to close this PR on that basis.

I'd be interested to see @n2ygk's work, but haven't had the bandwidth to look at that.

Yes, it would be good to add this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ysavary @n2ygk @adriankrupa @rpkilby @carltongibson