-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow optional Authorizations #14
Comments
@jacobweber - in 2.0 you can specify several possible security requirements, and each of them can include multiple schemes. So if you declare schema A, B and C you can have something like ( (A AND B) OR C ). |
Sounds like it would. Is that documented here? I couldn't quite find what you describe, although I haven't read it too closely yet. |
Yes. It is spread about several locations though. Perhaps I should create a section that clarifies it. |
Will do, thanks. Yeah, an example would probably be helpful. |
Yeah, I need to add samples throughout the document (as you can obviously see). I was waiting to finalize the security part of it. If you manage to read through it and see that it fits this issue, please close it. |
There are some examples already in What I think is missing is a “no security” option in
|
This is an old ticket, and I believe the samples have been added to the spec. |
I still can't find an example of a "no security" option. Something like the |
@webron Also in need of a Should I raise a new ticket for this? |
@mikestead yup |
+1 Also in need of |
Was this functionality ever added? The ability to do as @rkarodia and @mikestead described with "no security" defaulting to public content is very needed |
same question here :) |
Everyone, you don't need a "security": [
{},
{"oauth": […]},
{"token-1": []},
{"token-2": []}
] |
Thx for the fast feedback. Will look into It. |
But the swagger validator says the spec is not valid anymore ? |
@iongion if it says it's invalid, then file a ticket on that project. |
Has this feature been somehow lost in 3.0? I want to specify an API, that can be called with and without auth and will return slightly different results depending on that. |
@BGehrels I am not aware of any conversations in the work on the V3 spec to change this behavior. I don't think this option was very clearly spelled out in the V2 spec and we didn't do a better job in the V3 spec. We definitely should fix that. |
Since this issue targets 2.0 and is closed, should i open a seperate issue for that? |
In case someone is needing optional authorization for Swagger 2.0 and YAML files, this format worked for me: I tried several other variants but this was the only one that worked with |
Auth was added in c077573. Most/All our endpoints are available without authentication (but some records may be protected) - let's make it explicit that unauthenticated use is legitimate. As far as I can tell this has no impact in swagger ui, though. See OAI/OpenAPI-Specification#14
Auth was added in c077573. Most/All our endpoints are available without authentication (but some records may be protected) - let's make it explicit that unauthenticated use is legitimate. As far as I can tell this has no impact in swagger ui, though. See OAI/OpenAPI-Specification#14
* Add basic description to global API meta information * make it explicit that auth is optional Auth was added in c077573. Most/All our endpoints are available without authentication (but some records may be protected) - let's make it explicit that unauthenticated use is legitimate. As far as I can tell this has no impact in swagger ui, though. See OAI/OpenAPI-Specification#14
This works for me on version 3 with express node js Added this on .yaml file:
So the endpoint defined by that file accepts both ApiKey (defined on my security schema file) or non-authenticated requests |
This is an enhancement request, to allow optional authorizations. Not sure if this would be useful for others, but it would be for me.
In my case, you can access my APIs with no authorization, with OAuth, or with a set of two API keys. Depending on which you use, I may give you access to different data, but you still use the same APIs.
One way to handle this would be to allow a "required" boolean for each authorization in the API's Authorizations object.
If you did this, I could mark both of my oauth2 and apiKey authorizations as optional, which would allow you to select either or none of them. (It would also allow you to select both, but that's not really a problem.)
My case is also complicated by the fact that I need two parameters for my API key. If you wanted to treat this as a single Authorization, you'd have to allow multiple keynames for an apiKey. You could also treat it as two separate Authorizations, and just make them both optional. That's not ideal, since it wouldn't give you a way to indicate that they go together, but it would work.
The text was updated successfully, but these errors were encountered: