Support for Kerberos and others as type values of Security Scheme Object #451
Comments
|
What additional fields would be required to support Kerberos or other schemes you had in mind? As you can see in the spec, |
|
Digest, NTLM and Negotiate work like basic (RFC 2617 contains basic and digest http://www.ietf.org/rfc/rfc2617.txt) in HTTP its As you said is swagger basic has no additional metadata. So as far as I can see it's just adding the values |
|
I wonder whether we should just add those as types or possibly group them all under the As a side note, and possible workaround for now, you can use vendor extensions to specify the specific type. Just set it to type basic, and add something like |
|
I think we are already at the right place as OAUTH uses the same mechanism to authenticate (when headers are used) and should just add them: |
|
And as we are on the authentication topic... What about client certificates? Had that in mind yet? If not we should consider to include it when extending the auth types. |
|
Related: #583 |
|
How is #583 related to this and not a duplicate of this? |
|
@webron This ticket is about Kerberos and WWW-Authenticate header. #583 is about the Authorization header. As a user I don't think it is my task to decide when tickets must be grouped because I don't have your global vision of the issues. |
|
@dolmen of course, I much rather people open new issues than not comment at all. If issues are related, it may make sense to expand the discussion on the issue rather than open a new ticket, but either works - it's no big deal most of the times. Sometimes the differences are not clear - was just checking how the issues differ 😉 |
|
Parent issue: #585 |
|
The pr #807 now allows you to specific the scheme in the security definition, so you can specify the |
|
Closing as done. |
|
How the Kerberos will work with Swagger? Can anyone help please ? |
|
@ashishdhyani you are mixing OAS v2 and v3 syntaxes. A |
|
Hi @MikeRalphson, {
"swagger": "2.0",
"info": {
"description": "description",
"version": "1.0.0",
"title": "S Desktop",
"termsOfService": "",
"contact": {
"email": "ashish.dhyani@xyz.com"
},
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
}
},
"host": "xyz.net:9999",
"basePath": "/",
"tags": [
{
"name": "unix-services",
"description": "Unix services",
"externalDocs": {
"description": "Find out more",
"url": ""
}
}
],
"schemes": [
"http"
],
"paths": {
"/": {
"get": {
"tags": [
"unix-services"
],
"summary": "Get all service statuses..",
"description": "",
"operationId": "get",
"consumes": [
],
"produces": [
"application/json"
],
"parameters": [
],
"responses": {
"405": {
"description": "Invalid input"
},
"401": {
"description": "Access Denied"
}
},
"security": [
{
"negotiationAuth": [
]
}
]
}
}
},
"securitySchemes": {
"negotiationAuth": {
"type": "http",
"scheme": "negotiate",
"in": "header"
}
},
"definitions": {
"ApiResponse": {
"type": "object",
"properties": {
"code": {
"type": "integer",
"format": "int32"
},
"type": {
"type": "string"
},
"message": {
"type": "string"
}
}
}
},
"externalDocs": {
"description": "Find out more about Swagger",
"url": "http://swagger.io"
}
} |
|
@ashishdhyani if you can post your v2 document as a gist, we can take a look at it, alternatively have a look at the following blog posting. |
|
Hi @MikeRalphson, I converted the file to OAS 3.x format (server name changed). Still I get 401 as response. Attached specification. |
|
Hi @ashishdhyani |
|
unfortunately, even after putting under components, I am getting error
|
|
Not all tools are going to support all possible authentication schemes. Especially when they may be hosted on a different domain to the one which may contain your credentials. Please could you raise an issue on the relevant tool repository? |
|
Thanks Mike, will check. Hi @lennybacon, in earlier message of yours, you have the similar requirement. GET ---> |
|
@ashishdhyani I used this for API-documentation purposes only. Of course I was able to use Negotiate in custom code. But I have never used the interactive client or something like that. |
|
@lennybacon, custom code you mean outside of swagger ? |
|
custom code = of swagger! clientCredential=true sounds like a good idea for the interactive client tools. |
|
@ashishdhyani this is not the correct repository to reach out to the swagger team. |
|
Reopening, as we'd like to get feedback on peoples experiences with using Kerberos / NTLM / negotiate http security schemes. Are other metadata / hints required to make client or server implementations easier? For a 'try it out' type application, is prompting for realm/domain, username and password sufficient etc? |
|
Prompting for realm/domain, username and password sufficient. If its is javascript/XHR setting |
|
@lennybacon could you expand on that a little (with links if necessary)? I'm only familiar with |
|
@MikeRalphson
From an API-Spec it is the same as Basic Authentication.
I don't know i I get your question right... Http-Headers is a common scenario for authentication, also for machine-to-machine communication. |
|
So, I am wondering does Kerberos work with SwaggerUI? |
|
anyone? |
|
Apologies for leaving you hanging, though the swagger-ui repository would probably be the best place to ask, I don't believe Kerberos is supported in swagger-ui's Try It Out console today. Though there might be a hook you could use to implement it... |
|
I just looked at the repo and from the code I guess it will not work. For basic they have a username and password field which means they stuff the header by themselves: https://github.com/swagger-api/swagger-ui/blob/12e350fcad66f7708e6bc3e18d8cb2c9a107bc16/src/core/components/auth/basic-auth.jsx |
|
@MikeRalphson @lennybacon Kerberos/SSO is the single most feature most of our user base has required. I will consider asking swagger-ui group https://github.com/swagger-api/swagger-ui |
|
We're actively looking at security improvements for v3.1 so let us know if Kerberos / SSO needs further support in the spec. |
|
Yes. Kerberos is needed. Its used quite heavily in the world. So far in the 3 large companies I worked for Kerberos was the primary auth method. |
|
Technically, the spec supports it today, but tooling is free to support whichever auth schemes they want. But do we require any new metadata fields to make support actually work? |
|
According to the OAS 3.0.2 documentation, all of the IANA-registered HTTP authentication schemes are supported, with the qualification as to this relates to the authorization header. As posted on Feb 9, 2018 these are not supported by the Swagger Editor or UI tooling as was mentioned. Also, the 'in' property is not valid when type is set to 'http'; only scheme is valid. Presently, the only option is to use type: http, scheme: Custom, use vendor extensions (i.e. x-) to stipulate the remainder of the security scheme, and write a very clear description for application developers. There is a lot of work to be done here, potentially modifying the OAS 3.x JSON schema but mostly the tooling. I would like to open another issue to expand the concept of 'security scheme' not to just authentication and authorization but to other security schemes such as data integrity/digital signature, non-repudiation, PKI/digital certificates, etc.. This would create a more 'normalized' JSON schema structure in the OAS specification while allowing flexibility in the tooling implementations. In absence of defining security schemes for these, the concepts, and related input and output parameters are becoming conflated with the actual resource-related inputs and outputs. The separation of these concepts would make APIs more readable especially when the complexities of API security are required. |
Some work on exactly this is being undertaken at the moment. Probably the best thing is to join one of the Thursday open TSC calls if the time works for you, or I can dig out a link to a recording of a previous call where the work-in-progress was presented. |
|
Thank you @MikeRalphson yes I would be interested. |
|
As I read here swagger 3 DOES support Kerberos:
|
We want to use swagger for an internal system. The authentication mechanism we use is Kerberos.
Currently this is not a supported type value of the Security Scheme Object.
To support Negotiate (for Kerberos), NTML or Digest (as values for the WWW-Authenticate-Header) it would be nice if the type values would be added to the specification.
The text was updated successfully, but these errors were encountered: