Thanks, Ron. https://github.com/swagger-api/swagger-ui/issues/2580.
Ron On Friday, December 23, 2016 at 10:10:58 AM UTC-5, Ron wrote: > > I see, did not get that it’s what you’re experiencing. > > Yes, absolutely, if the list of scopes is empty, the UI should definitely > allow it to be executed regardless of other definitions. > > Would you mind opening a ticket on the project? > > > > > > > > *From: *<[email protected] <javascript:>> on behalf of Ron > Dagostino <[email protected] <javascript:>> > *Reply-To: *"[email protected] <javascript:>" < > [email protected] <javascript:>> > *Date: *Thursday, 22 December 2016 at 21:21 > *To: *"[email protected] <javascript:>" < > [email protected] <javascript:>> > *Subject: *Re: Swagger-UI Authorize Button requires at least 1 scope? > > > > True, the spec says "the value is a list of scope names required for the > execution." But it doesn't says that the list must be non-empty. In fact > it is empty in the first part of the example I gave, and the UI works just > fine; it works fine when ALL the executions are defined this way. But as > soon as we add an execution that requires a non-empty scope -- the button > won't make a request unless you enable at least one scope. My reading of > this situation is that either there is a bug in the UI or the spec mandates > that all endpoints (aka executions) must have a non-empty scope. I don't > think there is any other option besides one of these two. Authorizing any > authenticated person is the case where the scope can be empty and the > execution will still be allowed. I have that use case. > > > On Dec 22, 2016, at 9:21 PM, Ron Ratovsky <[email protected] <javascript:>> > wrote: > > I understand that, but the spec says the scopes are required, so > effectively, you have to enable them. I’d argue that the UI shouldn’t give > you the choice and enable all by default. > > If you want to have both options, you can use the same requirements, once > with the scopes and once without. > > > > > > > > *From: *<[email protected] <javascript:>> on behalf of Ron > Dagostino <[email protected] <javascript:>> > *Reply-To: *"[email protected] <javascript:>" < > [email protected] <javascript:>> > *Date: *Thursday, 22 December 2016 at 18:09 > *To: *Swagger <[email protected] <javascript:>> > *Subject: *Re: Swagger-UI Authorize Button requires at least 1 scope? > > > > Perhaps I should be more specific. Given this: > > securityDefinitions: > bearerToken: > type: oauth2 > description: An OAuth 2 bearer token > flow: application > tokenUrl: https://example.com/whatever > scopes: {} > > The "Authorize" button will retrieve an empty token. All of my endpoints > appear like this, of course: > > security: > - bearerToken: [] > : > Now if I add a new endpoint, and that endpoint happens to require a > particular scope, I have to adjust my securityDefinitions: > > securityDefinitions: > bearerToken: > type: oauth2 > description: An OAuth 2 bearer token > flow: application > tokenUrl: https://example.com/whatever > scopes: {scope1: scope1 description} > > And now I have my new endpoint: > > security: > - bearerToken: [scope1] > > All of a sudden the "Authorize" button will not do anything unless I > enable the "scope1" checkbox. > > This feels like a bug to me -- I should still be able to authenticate and > get an empty token if I want to. > > Ron > > On Thursday, December 22, 2016 at 5:36:08 PM UTC-5, Ron Dagostino wrote: > > I've confirmed that the "Authorize" Button will in fact authorize and > retrieve an empty token if my yaml definition declares no scopes (in other > words, all endpoints are available to authenticated users and don't require > any particular scope). > > > > Ron > > > On Dec 22, 2016, at 4:38 PM, Ron Ratovsky <[email protected] <javascript:>> > wrote: > > It’s tricky. > > > > From the spec - > https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject > : > > > > “Each name must correspond to a security scheme which is declared in the > Security > Definitions > <https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitions>. > > If the security scheme is of type "oauth2", then the value is a list of > scope names required for the execution. For other security scheme types, > the array MUST be empty.” > > > > Meaning, the scopes are not optional… > > > > > > > > > > *From: *<[email protected] <javascript:>> on behalf of Ron > Dagostino <[email protected] <javascript:>> > *Reply-To: *"[email protected] <javascript:>" < > [email protected] <javascript:>> > *Date: *Thursday, 22 December 2016 at 13:02 > *To: *Swagger <[email protected] <javascript:>> > *Subject: *Swagger-UI Authorize Button requires at least 1 scope? > > > > Hi folks. Swagger-UI provides an "Authorize" button at the top of the > page, and the resulting dialog requires at least 1 scope be enabled before > the UI will attempt to get a token (at least with the > application/client_credentials flow and the recently-merged password flow; > I haven't tried other flows). Yet if there are endpoints that require > authentication but no particular scope (i.e. they are open to any > authenticated client regardless of the token scope) then it becomes > necessary to authorize via the little icon that appears next to actual > endpoint further down in the UI -- the "Authorize" button won't let me get > empty tokens. It seems reasonable to me that I might want to request an > empty token via the "Authorize" button at the top of the UI. Does this > seem reasonable to others, and this should be created as an issue, or am I > missing something? > > Ron > > -- > You received this message because you are subscribed to the Google Groups > "Swagger" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Swagger" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Swagger" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Swagger" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Swagger" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
