How to describe non-standard, custom authorization scheme

[j3d]

This is the authorization header need to invoke my REST api...

    Authorization: MyAuth JWT:SIGNATURE

... where JWT is a Json Web Token containing standard claims as well as custom claims (e.g. encrypted API key) and SIGNATURE is a HmacSHA1 digest generated by the client (i.e. swagger-ui). Then, the server extracts the encrypted api key from the JWT, decrypts it with the application secret and recalculates the SIGNATURE by concatenating the JWT, HTTP method, URL, and request body. If the SIGNATURE calculated by the server corresponds to the SIGNATURE sent by the client, then the request is valid, otherwise it is rejected.

That said, I'm reading the Swagger specification... and it is not clear to me how should I document my authorization scheme:

    @Api(

      value = "/auth/users",

      description = "Register users and manage their accounts",

      authorizations = Array(

        new Authorization(

          value = "MyAuth",

          // what should I put here?

        )

      )

    )

How do I correctly describe my authorization scheme?

Tx,

j3d

[Ron]

You first need to declare the authorization, which would be something like here - https://github.com/wordnik/swagger-core/blob/master/samples/java-jaxrs/src/main/java/com/wordnik/swagger/sample/Bootstrap.java#L43

Keep in mind you are limited to 3 authorization options - basic, api_key and oauth2.

What you're describing doesn't fall under any of those directly. You can emulate it by using an api key, but you won't be able to describe the expected value's structure.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rameshbabu Pandiyarajan]

Ron,

          I've invoke my api call through RestClient addon in Mozilla browser,

          Initially I've invalidate the session for each request at the end of the api call. 

          If I gave the Basic authentication, it fetches the result for the api call.

          If I didn't provide the Basic authentication, response status code is 200 instead of 401.

          how can i achieve this 401 error for incorrect authentication.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Ron]

Rameshbabu,

In the future, please start a new thread for new topics, as it may confusing for other users.

As for your issue, I'm not really sure how it relates to Swagger.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.