Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenAPI extension creates bad oapi export with @RolesAllowed #27373

Closed
pilhuhn opened this issue Aug 19, 2022 · 2 comments · Fixed by #31671
Closed

OpenAPI extension creates bad oapi export with @RolesAllowed #27373

pilhuhn opened this issue Aug 19, 2022 · 2 comments · Fixed by #31671
Labels
area/openapi area/smallrye kind/bug Something isn't working
Milestone
3.0.0.Alpha6

Comments

@pilhuhn
Copy link
Contributor

pilhuhn commented Aug 19, 2022

Describe the bug

Adding a @RolesAllowed annotation to a method that is to be documented with OpenAPI results in the following verification warning:

Security Requirement 'SecurityScheme' scopes must be an empty array because the referenced Security Definition not "oauth2" or "openIdConnect".
Security Requirements can be specified for basic, apiKey, or oauth. When using basic or apiKey authentication, the security requirement must NOT provide a list of scopes (the list of scopes must be empty). In other words, scopes are only valid when using OAuth 2 authentication.

The generated JSON looks like

            security:
                -
                    SecurityScheme:
                        - HullaRole

This does not match the expectation from OpenAPI https://github.com/OAI/OpenAPI-Specification/blob/3.0.1/versions/3.0.1.md#securityRequirementObject

Expected behavior

Create correct openapi

Actual behavior

No response

How to Reproduce?

Use the openapi-swagger-quickstart with the following class

@Path("/bla")
public class Main {

    @GET
    @RolesAllowed({"HullaRole"})
    public String getBla() {
        return "Hello OpenAPI";
    }
}

Then export the openapi.json and inspect it

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.11.2 Final

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@pilhuhn pilhuhn added the kind/bug Something isn't working label Aug 19, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 19, 2022

/cc @EricWittmann, @MikeEdgar, @phillip-kruger

@pilhuhn pilhuhn mentioned this issue Aug 19, 2022
Merged
@MikeEdgar MikeEdgar mentioned this issue Oct 16, 2022
Closed
MikeEdgar added a commit to MikeEdgar/quarkus that referenced this issue Mar 7, 2023
@MikeEdgar
Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues
43c49de 
- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes quarkusio#30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes quarkusio#30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes quarkusio#27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes quarkusio#21126

Signed-off-by: Michael Edgar <[email protected]>
@MikeEdgar MikeEdgar mentioned this issue Mar 7, 2023
Merged
MikeEdgar added a commit to MikeEdgar/quarkus that referenced this issue Mar 8, 2023
@MikeEdgar
Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues
5ec7d2c 
- Handle method-level `@RolesAllowed` that override class-level
`@RolesAllowed` values, fixes quarkusio#30997
- Render `BaseStream<T, S>` as array of `T` in OpenAPI document,
fixes quarkusio#30248 (via smallrye-open-api 3.3.0)
- Do not place scopes in OpenAPI security requirements unless the
security scheme is OAuth2 or OIDC, fixes quarkusio#27373
- Include only OIDC discovery URL in OpenAPI when auto-security is
active, fixes quarkusio#21126

Signed-off-by: Michael Edgar <[email protected]>
@gsmet gsmet closed this as completed in b11fae5 Mar 9, 2023
@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Mar 9, 2023
@fedinskiy fedinskiy mentioned this issue Mar 14, 2023
Merged
9 tasks
@TheoBullat
Copy link

Hi, in the newest OpenApi spec: https://github.com/OAI/OpenAPI-Specification/blob/3.1.0/versions/3.1.0.md
It is now allowed to put scope for types different than oauth2 or openIdConnect:

If the security scheme is of type "oauth2" or "openIdConnect", then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.

But with the changes from this issue, it is no longer possible to add scopes with RolesAllowed. The generated json ends up like:
security: - SecurityScheme: []

Would it be possible to allow back scopes to be found with the RolesAllowed annotation when the openapi version used is 3.1.0 or more?

@vickymicky vickymicky mentioned this issue Nov 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/openapi area/smallrye kind/bug Something isn't working
Projects
None yet
Milestone
3.0.0.Alpha6
Development

Successfully merging a pull request may close this issue.

Bump smallrye-open-api from 3.2.0 to 3.3.0, fix OpenAPI security issues MikeEdgar/quarkus
2 participants
@pilhuhn @TheoBullat