security: add support for Authorization header with Bearer authentication scheme

Question

security: add support for Authorization header with Bearer authentication scheme

dolmen opened this issue 9 years ago · 43 comments

In Swagger 2.0 there is no way to tell that the apiKey can be given in the Authorization header using a given (non-Basic) authentication scheme. For example the Bearer scheme defined in RFC 6750 that is used for OAuth2 but could be used also for non-OAuth2 authentication.

Proposal: add the API Key location authorization in the Security Scheme Object:

{
    "type": "apiKey",
    "in": "authorization-header",
    "authenticationScheme": "Bearer"
}

ChrisPearce commented 9 years ago

+1

👍3

jvivs commented 9 years ago

+1

👍3

Answer 1 · 2016-02-29T16:52:37.000Z

are you saying that the apiKey scheme described here:

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-scheme-object

is insufficient?

Answer 2 · 2016-02-29T21:09:31.000Z

Yes, of course, the security scheme of Swagger 2.0 is insufficient.

The apiKey scheme with in set to header is designed for a custom header where the api key will be the whole value of the header. For example:

{
    "type": "apiKey",
    "in": "header",
    "name": "Authorization"
}

will send this:

Authorization: <apiKey>

I need this:

Authorization: Bearer <apiKey>

Answer 3 · 2016-02-29T23:25:07.000Z

+1, I'm using JWT and I'd need the same thing

Answer 4 · 2016-02-29T23:49:12.000Z

+1 in addition to using JWT

Answer 5 · 2016-03-01T09:44:44.000Z

About authentication with JWT

Answer 6 · 2016-03-01T21:18:44.000Z

Parent issue #585

Answer 7 · 2016-04-12T06:33:07.000Z

+1 for JWT support. But I would prefer something like "type": "jwt" as this gives more info about the type of authentication.

Answer 8 · 2016-06-27T09:36:40.000Z

Here is a related approach to add JWT support into Swagger UI project swagger-api/swagger-ui#2234.

Answer 9 · 2016-06-27T13:36:24.000Z

@cbornet This issue is not just about JWT.

Answer 10 · 2016-06-27T13:56:34.000Z

Does it make sense to put in a template?
Pro: covers a wide range of possibilities
Con: We lose the descriptive value, ie: We don't know what type of authentication (JWT, oAuth, etc) this is, we just know how the tools should implement it.

Template eg:

  type: apiKey,
  in: header,
  name: Authorization
  template: "Bearer {apiKey}"

Conversely, we could just have...

  type: bearer 
  # in header, implied
  # name Authorization, implied
  # Con: a little terse

Answer 11 · 2016-06-27T14:04:24.000Z

@ponelat wrote:

Does it make sense to put in a template?

Swagger implementations have already too many security holes that allow code injection. No need to add one more vector with templated content.

Answer 12 · 2016-06-27T18:45:53.000Z

@dolmen ??? I have to assume you're not being serious

Answer 13 · 2016-08-02T18:16:57.000Z

+1 for bearer token authorization support

Answer 14 · 2016-08-11T00:52:47.000Z

+1 for bearer token authorization support

Answer 15 · 2016-08-11T18:57:42.000Z

+1 for bearer token authorization support

Answer 16 · 2016-08-12T14:13:56.000Z

Just a note, you don't have to write just a +1 comment, you can add your vote to other people's comments using the reaction button (" + 😀") on the top left of the comment.

Answer 17 · 2016-08-12T15:04:07.000Z

Kinda wish github added proper voting mechanism instead of the reaction button.

Answer 18 · 2016-09-07T19:44:09.000Z

Any update on this feature ? Any way to use "Bearer TOKEN" in the Authorization header ?

Answer 19 · 2016-09-16T20:02:26.000Z

as @lucj asked: any news ? I've just hit this barrier :(

Answer 20 · 2016-09-16T20:06:40.000Z

It is on our backlog. We haven't forgotten. It just hasn't bubbled to the top of the list yet.

Answer 21 · 2016-09-16T20:22:59.000Z

/me turns the heat to "high", hoping it bubbles more ;)

Thanks for the quick response

Answer 22 · 2016-09-16T20:24:40.000Z

@jmls :-) Unfortunately, no matter how fast we get it into the 3.0 spec, there is still the "tooling needs to start supporting 3.0" delay.

Answer 23 · 2016-09-16T20:35:09.000Z

Oddly enough, it looks like if I define oauth2 as the security, the language generator I'm wanting to use (typescript-nodejs) seems to generate the code I need ...

export class OAuth implements Authentication {
    public accessToken: string;

    applyToRequest(requestOptions: request.Options): void {
        requestOptions.headers["Authorization"] = "Bearer " + this.accessToken;
    }
}

then within each "api" I have

 protected authentications = {
        'default': <Authentication>new VoidAuth(),
        'my_auth': new OAuth(),
    }

and for each endpoint

        this.authentications.my_auth.applyToRequest(requestOptions);
        this.authentications.default.applyToRequest(requestOptions);
[snip]
        return new Promise<{ response: http.ClientResponse; body: any;  }>((resolve, reject) => {
            request(requestOptions, (error, response, body) => {

I haven't gotten round to testing just yet, but the generated code seems to solve my issues ;)

Answer 24 · 2016-10-03T02:42:25.000Z

I have attempted to address the missing support for bearer/JWT in this PR #807 Feedback encouraged. I'm not a fan of the bearerFormat field but as there is no standard for communicating this to clients, I'm not sure what the best approach is.

Answer 25 · 2016-11-18T00:35:30.000Z

+1 for Bearer 👍

Answer 26 · 2016-11-30T10:06:11.000Z

+1 for Bearer support

Answer 27 · 2016-11-30T16:42:09.000Z

+1 for Bearer support

Answer 28 · 2016-12-13T15:59:13.000Z

+1 for Bearer

Answer 29 · 2016-12-16T09:34:52.000Z

As a temporary solution that seems to work, at least to me, is to add "Bearer " prefix manually in the auth dialog of Swagger UI.

Answer 30 · 2016-12-30T11:36:19.000Z

+1 for Bearer

Answer 31 · 2017-01-12T08:53:59.000Z

+1 for JWT Bearer token

Answer 32 · 2017-01-20T20:47:18.000Z

Need. JWT. Please.

Answer 33 · 2017-01-20T20:53:59.000Z

@CollinGraves it will be supported in 3.0 through #818

Answer 34 · 2017-02-17T19:25:48.000Z

+1 for JWT Bearer

Answer 35 · 2017-02-17T19:27:45.000Z

Already added, no need to +1 here :)

Answer 36 · 2017-03-23T06:00:01.000Z

I got error, I try to install the swagger but it error about $urltoDoc,.... in views/vendor/l5-swagger.index.blade.php. Please kindly help! Thanks!

Message error: below is the error msg.

https://2.bp.blogspot.com/-wlExmpcjcjw/WNKq_J7YeZI/AAAAAAAAC5g/ftwwzC1Rr0s3Jyz6AnehJCqvXC1zoWJPQCLcB/s1600/15.PNG

Answer 37 · 2017-03-23T09:08:42.000Z

@ratanakpek please note that this repository is about the OpenAPI specification, not any specific implementation. This issue specifically is about the next version of OpenAPI, for which there are no implementations yet.
It looks like you have a problem with some tooling (not sure which one) – please open an issue there (first have a look whether there already is an issue for this.) You'll need to provide more information, though.

Answer 38 · 2018-01-22T16:41:39.000Z

Is it possible now to have the apikey using the Bearer authentication?

Authorization: Bearer <apiKey>

Answer 39 · 2018-01-22T16:49:04.000Z

Yes, in v3.0 - see this example. You can omit the bearerFormat hint if you want.

Note that apiKey and http are different types of securityScheme.

Answer 40 · 2018-10-17T12:32:15.000Z

@MikeRalphson with:

type: http
scheme: bearer
bearerFormat: JWT

I get: "User Warning: @OA\SecurityScheme() is missing key-field: "securityScheme""

Answer 41 · 2018-10-17T14:23:20.000Z

@twitnic that sounds like a problem with a specific tool, not with the specification itself.