AutoSchema and `components/security` section in resulting OpenAPI spec

[Adam Fletcher]

Hi All,

Is there some magic to getting AutoSchema to generate an OpenAPI spec that has a components:security: section? I've enabled the authentication in settings.py, but I'm not seeing any security section in my OpenAPI schema. 

I'd expect to see:

  "components": {

    "securitySchemes": {

      "bearerAuth": {

        "type": "http",

        "scheme": "bearer"

     }

    }

  },

  "security": [

    {

      "bearerAuth": []

    }

  ]

But don't, which means my code generated from the schema is unaware of the bearerToken requirements. Has anyone seen a similar problem/know what I'm doing wrong?

Thanks!

-Adam

[Tom Christie]

Heya,

So the AutoSchema doesn't currently introspect and autogenerate `securitySchemes` and `security` sections.

I think the closest a PR ever got to implementing that was here... https://github.com/encode/django-rest-framework/pull/6915

The best you can get at the moment is subclassing the `SchemaGenerator`, in order to add in the extra sections manually, most likely by overriding `get_schema`, and including the extra keys.

  - T.

[Alan Crosswell]

Yes, see https://github.com/n2ygk/drf-openapi-auth-schema. I had originally implemented this as part of a PR still in the works for DJA (DRF-jsonapi) but pulled it out of that PR as it was really DRF-specific. I've recently had some free time to resume work on the DJA PR and the securitySchemes and security object support is crucial to actually making this usable for our projects so any help getting this support added to DRF (where it belongs) -- and possibly to DOT for the oauth component -- would be greatly appreciated.

Notably the DRF openapi schema code has matured a lot and features like components are now present in that code and were not at the time, so there's definitely a small amount of rework needed.

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/a4dd4cf4-ff5c-4df6-b6e8-b5165e593ac3n%40googlegroups.com.

[Alan Crosswell]

PS: If getting this done for 3.12 would help, I'm game to take a shot at it. Please let me know.

[ad...@bit.io]

Thanks all!

This would be great in 3.12, but not critical - I can append the extra security component with a script for now, so I'm not blocked on my work. 

Thanks!

-Adam

[Alan Crosswell]

See https://github.com/encode/django-rest-framework/pull/6670#issuecomment-677813417

To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/b1e55326-c335-4957-8963-89b21621de2bn%40googlegroups.com.

[Alan Crosswell]

Adam:

Closing the loop on this thread: 

https://github.com/encode/django-rest-framework/pull/7516 looks like it will make it into 3.12. If you have a securityScheme that's not one of the standard ones found in rest_framework.authentication, simply subclass BaseAuthentication and implement two methods that return the securityScheme and security requirements objects for that class. I plan on submitting this approach as a PR to django-oauth-toolkit if and when included in DRF. I've already got code that generates the necessary OAS stuff to have lists of security requirements objects with required scopes.

[Adam Fletcher]

Great - we'll give this a shot when it lands in 3.12, and thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/CAJaAdZiK%2B82FSdqUjbGhSh%2BTT7XzpdyGKzEPPCgTRN8N9Ap6Pw%40mail.gmail.com.