Global security scheme not added to path.security section

[foarsitter]

When using the SECURITY setting, the defined security schemes are added at the global level.

This go's well when you do not have other authentication_classes defined. When you do have authentication_classes defined, the global defined security schemes are not added to the path.security section and thus not available for the endpoints.

My current solution is to override AuthSchema.get_auth and return None when settings.DEFAULT_AUTHENTICATION_CLASSES equals view.authentication_classes

class SettingSecureAutoSchema(AutoSchema):

    def get_auth(self):

        if api_settings.DEFAULT_AUTHENTICATION_CLASSES == self.view.authentication_classes:
            return None

        return super().get_auth()

An other solution is to add everything that is in SECURE to the path.security section.

Is this the direction you want to go? Are should we introduce a list in settings where we can add extra OpenApiAuthenticationExtension classes?

[tfranzel]

this was not thoroughly tested because it was more like a fallback. it should receive a fix.

OpenApiAuthenticationExtension does not have to be added anywhere. put it anywhere in your code so that the interperter comes by at least once. it autoregisters and is used automatically.

however, if you want to use it for djangorestframework-api-key, there is a fix required because it behaves slightly different.

this all should be better documented, sry

[tfranzel]

added explicit deprecation warning for SECURITY (6f2c447). OpenApiAuthenticationExtension should be the default way to go.

[tfranzel]

in case you do use djangorestframework-api-key this fix should accommodate you. security is now added everywhere if provided. OpenApiAuthenticationExtension is of course still preferred everywhere else.