Swagger-UI Authorize Button requires at least 1 scope?
Ron Dagostino
Ron
Ron Ratovsky
It’s tricky.
From the spec - https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject:
“Each name must correspond to a security scheme which is declared in the Security Definitions. If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.”
Meaning, the scopes are not optional…
--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ron Dagostino
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggers...@googlegroups.com.
Ron Dagostino
securityDefinitions:
bearerToken:
type: oauth2
description: An OAuth 2 bearer token
flow: application
tokenUrl: https://example.com/whatever
scopes: {}
The "Authorize" button will retrieve an empty token. All of my endpoints appear like this, of course:
security:
- bearerToken: []
:
Now if I add a new endpoint, and that endpoint happens to require a particular scope, I have to adjust my securityDefinitions:
securityDefinitions:
bearerToken:
type: oauth2
description: An OAuth 2 bearer token
flow: application
tokenUrl: https://example.com/whatever
scopes: {scope1: scope1 description}
And now I have my new endpoint:
security:
- bearerToken: [scope1]
All of a sudden the "Authorize" button will not do anything unless I enable the "scope1" checkbox.
This feels like a bug to me -- I should still be able to authenticate and get an empty token if I want to.
Ron
On Thursday, December 22, 2016 at 5:36:08 PM UTC-5, Ron Dagostino wrote:
I've confirmed that the "Authorize" Button will in fact authorize and retrieve an empty token if my yaml definition declares no scopes (in other words, all endpoints are available to authenticated users and don't require any particular scope).Ron
It’s tricky.
From the spec - https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject:
“Each name must correspond to a security scheme which is declared in the Security Definitions. If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.”
Meaning, the scopes are not optional…
From: <swagger-swaggersocket@googlegroups.com> on behalf of Ron Dagostino <rnd...@gmail.com>
Reply-To: "swagger-swaggersocket@googlegroups.com" <swagger-swaggersocket@googlegroups.com>
Date: Thursday, 22 December 2016 at 13:02
To: Swagger <swagger-swaggersocket@googlegroups.com>
Subject: Swagger-UI Authorize Button requires at least 1 scope?
Hi folks. Swagger-UI provides an "Authorize" button at the top of the page, and the resulting dialog requires at least 1 scope be enabled before the UI will attempt to get a token (at least with the application/client_credentials flow and the recently-merged password flow; I haven't tried other flows). Yet if there are endpoints that require authentication but no particular scope (i.e. they are open to any authenticated client regardless of the token scope) then it becomes necessary to authorize via the little icon that appears next to actual endpoint further down in the UI -- the "Authorize" button won't let me get empty tokens. It seems reasonable to me that I might want to request an empty token via the "Authorize" button at the top of the UI. Does this seem reasonable to others, and this should be created as an issue, or am I missing something?
Ron
--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
Ron Ratovsky
I understand that, but the spec says the scopes are required, so effectively, you have to enable them. I’d argue that the UI shouldn’t give you the choice and enable all by default.
If you want to have both options, you can use the same requirements, once with the scopes and once without.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
louis_h...@yahoo.com
--------------------------------------------
Subject: Re: Swagger-UI Authorize Button requires at least 1 scope?
Date: Friday, December 23, 2016, 4:21 AM
#yiv4636087292
#yiv4636087292 --
_filtered #yiv4636087292 {font-family:Arial;panose-1:2 11 6
4 2 2 2 2 2 4;}
_filtered #yiv4636087292 {panose-1:2 7 3 9 2 2 5 2 4 4;}
_filtered #yiv4636087292 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv4636087292 {font-family:Calibri;panose-1:2 15
5 2 2 2 4 3 2 4;}
#yiv4636087292
#yiv4636087292 p.yiv4636087292MsoNormal, #yiv4636087292
li.yiv4636087292MsoNormal, #yiv4636087292
div.yiv4636087292MsoNormal
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv4636087292 a:link, #yiv4636087292
span.yiv4636087292MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv4636087292 a:visited, #yiv4636087292
span.yiv4636087292MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv4636087292 p
{margin-right:0cm;margin-left:0cm;font-size:12.0pt;}
#yiv4636087292 span.yiv4636087292EmailStyle18
{font-family:Calibri;color:windowtext;}
#yiv4636087292 span.yiv4636087292msoIns
{text-decoration:underline;color:teal;}
#yiv4636087292 .yiv4636087292MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv4636087292 {margin:72.0pt 72.0pt 72.0pt
72.0pt;}
#yiv4636087292 div.yiv4636087292WordSection1
{}
#yiv4636087292 I understand
effectively, you have to enable them. I’d argue that the
UI shouldn’t give you the choice and enable all by
Ron Dagostino
Ron Ratovsky
I see, did not get that it’s what you’re experiencing.
Yes, absolutely, if the list of scopes is empty, the UI should definitely allow it to be executed regardless of other definitions.
Would you mind opening a ticket on the project?
Ron Dagostino
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.
vickers...@yahoo.com
--------------------------------------------
Subject: Re: Swagger-UI Authorize Button requires at least 1 scope?
Date: Friday, December 23, 2016, 6:13 PM
Thanks,
Ron.
https://github.com/swagger-api/swagger-ui/issues/2580.
Ron
On Friday, December 23, 2016 at 10:10:58 AM
UTC-5, Ron wrote:I see, did not
get that it’s what you’re experiencing.Yes,
absolutely, if the list of scopes is empty, the UI should
definitely allow it to be executed regardless of other
with the scopes and once without. From:
<swagger-sw...@
Reply-To: "swagger-sw...@ googlegroups.com"
<swagger-sw...@
googlegroups.com>
the Security
Definitions. If the security scheme is of type
"oauth2", then the value is a list of scope names
required for the execution. For other security scheme types,
the array MUST be empty.” Meaning, the
scopes are not optional… From:
<swagger-sw...@
Reply-To: "swagger-sw...@ googlegroups.com"
<swagger-sw...@
googlegroups.com>
DATE PRIVIND STRUCTURA CONFESIONALa A LOCUITORILOR SPAtIULUI