Perhaps I should be more specific. Given this:
securityDefinitions:
bearerToken:
type: oauth2
description: An OAuth 2 bearer token
flow: application
tokenUrl: https://example.com/whatever
scopes: {}
The "Authorize" button will retrieve an empty token. All of my endpoints
appear like this, of course:
security:
- bearerToken: []
:
Now if I add a new endpoint, and that endpoint happens to require a
particular scope, I have to adjust my securityDefinitions:
securityDefinitions:
bearerToken:
type: oauth2
description: An OAuth 2 bearer token
flow: application
tokenUrl: https://example.com/whatever
scopes: {scope1: scope1 description}
And now I have my new endpoint:
security:
- bearerToken: [scope1]
All of a sudden the "Authorize" button will not do anything unless I enable
the "scope1" checkbox.
This feels like a bug to me -- I should still be able to authenticate and
get an empty token if I want to.
Ron
On Thursday, December 22, 2016 at 5:36:08 PM UTC-5, Ron Dagostino wrote:
>
> I've confirmed that the "Authorize" Button will in fact authorize and
> retrieve an empty token if my yaml definition declares no scopes (in other
> words, all endpoints are available to authenticated users and don't require
> any particular scope).
>
> Ron
>
> On Dec 22, 2016, at 4:38 PM, Ron Ratovsky <[email protected]> wrote:
>
> It’s tricky.
>
>
>
> From the spec -
> https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject
> :
>
>
>
> “Each name must correspond to a security scheme which is declared in the
> Security
> Definitions
> <https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitions>.
>
> If the security scheme is of type "oauth2", then the value is a list of
> scope names required for the execution. For other security scheme types,
> the array MUST be empty.”
>
>
>
> Meaning, the scopes are not optional…
>
>
>
>
>
>
>
>
>
> *From: *<[email protected]> on behalf of Ron
> Dagostino <[email protected]>
> *Reply-To: *"[email protected]" <
> [email protected]>
> *Date: *Thursday, 22 December 2016 at 13:02
> *To: *Swagger <[email protected]>
> *Subject: *Swagger-UI Authorize Button requires at least 1 scope?
>
>
>
> Hi folks. Swagger-UI provides an "Authorize" button at the top of the
> page, and the resulting dialog requires at least 1 scope be enabled before
> the UI will attempt to get a token (at least with the
> application/client_credentials flow and the recently-merged password flow;
> I haven't tried other flows). Yet if there are endpoints that require
> authentication but no particular scope (i.e. they are open to any
> authenticated client regardless of the token scope) then it becomes
> necessary to authorize via the little icon that appears next to actual
> endpoint further down in the UI -- the "Authorize" button won't let me get
> empty tokens. It seems reasonable to me that I might want to request an
> empty token via the "Authorize" button at the top of the UI. Does this
> seem reasonable to others, and this should be created as an issue, or am I
> missing something?
>
> Ron
>
> --
> You received this message because you are subscribed to the Google Groups
> "Swagger" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Swagger" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups
"Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
