Template paths in tokenUrl parameter of security definition #551
Comments
|
tokenUrl is type string and format uri why does format uri not support RFC 6570 URI Template ? |
|
URI Template strings themselves are not valid URIs (strictly). Some of the characters used in URI Templates are special characters in the URI specification and require being escaped. The reason the There are a number of other places in the issue tracker where tokenization of the Swagger specification is being requested so don't take my explaining "why" as us not being willing to support it. |
|
@deefactorial - the real question here is - do you just want to describe it as a templated path? If so, you can easily do so by escaping the URL according to the regular URI escaping rules. If you expect an added functionality, such that the user should be able to specify the value for the templated path, then it would be a feature request for the next version. I've never really seen before the example where an OAuth2 token URL is personalized to the user - normally there's one end point for such requests. If you could provide more details as to why you chose to implement it this way (as it seems uncommon), it would help us in assessing it for the future. Of course, it could be a very common practice which I'm not aware of, and in that case I'd ask to see some references to usage out there or references to public documentation suggesting this form of implementation. |
|
I understand that this is uncommon way of describing this particular end point. Since working with swagger to define my API I have re-factored the way I describe my end points. I find the easiest way to explain my model is to push primary key data into the path. the 'user_id' in my example is just one of those primary key data elements that needs to be known prior to posting to the API end point. without that information you can't post to the end point. It's more of a convention I use for my API. I think the best way for me to write this in my API is to escape the template path and provide a vendor extension pointer to the operation id of the oauth end point in my API. Something like this: securityDefinitions:
oauth2PasswordSecurity:
type: oauth2
flow: password
tokenUrl: 'https://example.com/V2/user/%7Buser_id%7D/oauth/token'
x-token-operation-id: oauth2tokenPostWith this I have a valid swagger definition, and if clients want more information on how to use the end point they can reference the operation id. |
|
Right, though that takes away from the ability to automate the process easily. Still doable, but just not as easy. However, there are so many design options out there... I'm not sure if it would make sense to support it in the next version, but I'll mark it up for discussion. |
|
Parent issue #585 |
|
I think doing password flow to obtain tokens this way is fairly unusual. Considering the additional complexity introduced by templating URLs, I don't think we can address this in 3.0. |
|
Btw, templates do not work in server part of relative tokenUrl either. For example resolves to token url 'https://%7Bcustomer%7D.example.com/token'. |
|
@deus-x-machina that sounds like an issue with the specific tool you're using - not the spec. |
|
We have a system with a perimeter server, which passes requests to a farm of back-end servers. Each back-end server belongs to a specific tenant, and in the API we add the tenant name to the URLs in order to know which back-end to send the request to. In this scenario, we would like to also pass the authentication request on to the correct back-end system. I.e., the URL would look like So in this scenario I don't find it odd to have a parameter in the tokenUrl. I really hope this feature will be added. |
|
This is a requirement for me for Keycloak multi-tenancy using realms. But also the keycloak server is different than the application server (we are using Kubernetes ingress host based routing). So, I need similar functionality to the OpenAPI servers section. |
Is there any way to read the template varaible in the client auth pop up window? With the swagger-ui-dist NPM module this is not reading the variable defined in the servers url and its creating trouble for us too |
|
@rupamkhaitan Swagger UI issue that you mentioned is tracked here: swagger-api/swagger-ui#4740 |
|
I posted this question on SO a while back - Good to see other people are thinking about something similar. One thing to keep in mind regarding the server templating; |
|
We have a dedicated Keycloak instance for our prod, stage and test Environment. The Server section does support this nicely using ServerVariables. So +1 for this enhancement from my side. |
Exact same case for my team as well! A vote from me as well. |
Please use the GitHub reactions functionality on the original post. We can track that, whereas positive comments we can't. |
|
What is the state on this one? I think the templateing functionality really is need for |
|
Still waiting on this feature. Would be greatly appreciated! My swagger-ui page can only be used to view my api documentation at the moment and it can't be used to interact with the api if someone has credentials. |
|
I would also appreciate this feature, because I cannot use swagger-ui to interact with my different environments, which are DEV/STAGING/PROD: servers:
tokenUrl: /o/token/ IMHO, the token endpoint should not be absolute, but relative to the selected server URL (analogous to the API endpoints), i.e. in my case: ...just because authentication/authorization can be different in each environment. |
Exact same issue in here. |
|
Same issue here. Multiples servers (per environment) that communicate with different authorization servers (also per environment). I would like to have something like this: securitySchemes:
oauth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: "https://{env}.authorization-server.bla/oauth2/token"
variables:
env:
enum:
- 'dev'
- 'prod'
scopes:
my-things-api.read: read-only (get)
my-things-api.write: write-only (put, post, patch)
my-things-api.all: read-write (get, post, put, patch, and delete)
description: This API uses OAuth 2 with the client clientCredentials grant flow.The only alternative I found was to declare multiple security schemes with the same flow. What would be impossible if it was the case of a tenant. |
|
To formalize the implicit requirement appearing in @dkirrane's and @anderson-marques's comments: For parameterizing the |
|
Has this issue been resolved yet? I also am having the issue of being unable to use variables in my |
|
Same here! 😄 I'm trying to specify different environments in the TokenURL section. |
|
is there any ETA for that? |
|
Would also like to see this option in the specification. |
|
+1 |
1 similar comment
|
+1 |
This only makes sense when you are implementing yourself both the resource server and the authorisation server and they sit under the same domain. If you are putting them in different domains, or simply using a third-party authorisation server (like Auth0), the authorisation and token endpoints won't be relative to the server URLs. |
handrews
added
the
Moved to Moonwalk
|
I am fairly certain that if this is to be addressed, it will be done in OAS 4 Moonwalk under the separation of concerns principle, specifically separating API descriptions and deployments. This is a major redesign of what's currently handled with the Servers Object and various bits related to security. Since it seems pretty unlikely that such a complex change would make it into a 3.x, I'm going to mark this as "moved to Moonwalk" and encourage joining the discussion over there. |
and others
I'm running into an issue with the spec.
swagger-api/validator-badge#73
It seems that template paths are not allowed in the tokenUrl parameter of security definitions.
my use case is:
I'm not sure if it's a bug in the 2.0 spec or a feature for next version.
What would be the best way to deterministically describe template paths to clients ?
The text was updated successfully, but these errors were encountered: