I see, did not get that it’s what you’re experiencing. Yes, absolutely, if the list of scopes is empty, the UI should definitely allow it to be executed regardless of other definitions.
Would you mind opening a ticket on the project? From: <[email protected]> on behalf of Ron Dagostino <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, 22 December 2016 at 21:21 To: "[email protected]" <[email protected]> Subject: Re: Swagger-UI Authorize Button requires at least 1 scope? True, the spec says "the value is a list of scope names required for the execution." But it doesn't says that the list must be non-empty. In fact it is empty in the first part of the example I gave, and the UI works just fine; it works fine when ALL the executions are defined this way. But as soon as we add an execution that requires a non-empty scope -- the button won't make a request unless you enable at least one scope. My reading of this situation is that either there is a bug in the UI or the spec mandates that all endpoints (aka executions) must have a non-empty scope. I don't think there is any other option besides one of these two. Authorizing any authenticated person is the case where the scope can be empty and the execution will still be allowed. I have that use case. On Dec 22, 2016, at 9:21 PM, Ron Ratovsky <[email protected]> wrote: I understand that, but the spec says the scopes are required, so effectively, you have to enable them. I’d argue that the UI shouldn’t give you the choice and enable all by default. If you want to have both options, you can use the same requirements, once with the scopes and once without. From: <[email protected]> on behalf of Ron Dagostino <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, 22 December 2016 at 18:09 To: Swagger <[email protected]> Subject: Re: Swagger-UI Authorize Button requires at least 1 scope? Perhaps I should be more specific. Given this: securityDefinitions: bearerToken: type: oauth2 description: An OAuth 2 bearer token flow: application tokenUrl: https://example.com/whatever scopes: {} The "Authorize" button will retrieve an empty token. All of my endpoints appear like this, of course: security: - bearerToken: [] : Now if I add a new endpoint, and that endpoint happens to require a particular scope, I have to adjust my securityDefinitions: securityDefinitions: bearerToken: type: oauth2 description: An OAuth 2 bearer token flow: application tokenUrl: https://example.com/whatever scopes: {scope1: scope1 description} And now I have my new endpoint: security: - bearerToken: [scope1] All of a sudden the "Authorize" button will not do anything unless I enable the "scope1" checkbox. This feels like a bug to me -- I should still be able to authenticate and get an empty token if I want to. Ron On Thursday, December 22, 2016 at 5:36:08 PM UTC-5, Ron Dagostino wrote: I've confirmed that the "Authorize" Button will in fact authorize and retrieve an empty token if my yaml definition declares no scopes (in other words, all endpoints are available to authenticated users and don't require any particular scope). Ron On Dec 22, 2016, at 4:38 PM, Ron Ratovsky <[email protected]> wrote: It’s tricky. >From the spec - >https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject: “Each name must correspond to a security scheme which is declared in the Security Definitions. If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.” Meaning, the scopes are not optional… From: <[email protected]> on behalf of Ron Dagostino <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, 22 December 2016 at 13:02 To: Swagger <[email protected]> Subject: Swagger-UI Authorize Button requires at least 1 scope? Hi folks. Swagger-UI provides an "Authorize" button at the top of the page, and the resulting dialog requires at least 1 scope be enabled before the UI will attempt to get a token (at least with the application/client_credentials flow and the recently-merged password flow; I haven't tried other flows). Yet if there are endpoints that require authentication but no particular scope (i.e. they are open to any authenticated client regardless of the token scope) then it becomes necessary to authorize via the little icon that appears next to actual endpoint further down in the UI -- the "Authorize" button won't let me get empty tokens. It seems reasonable to me that I might want to request an empty token via the "Authorize" button at the top of the UI. Does this seem reasonable to others, and this should be created as an issue, or am I missing something? Ron -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to a topic in the Google Groups "Swagger" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to a topic in the Google Groups "Swagger" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
