Unable to override custon SecurityScheme settings

Question

Unable to override custon SecurityScheme settings

vbartusevicius opened this issue 7 years ago · 4 comments

Followed by https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#settings I created custom JWT security scheme and want to apply it with some overridden parameters as described in https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#applying-security-schemes

Take this RAML as example:

#%RAML 1.0
title: Secured API
securitySchemes:
  JWT:
    type: x-jwt
    describedBy:
      headers:
        Authorization:
          description: Valid Bearer jwt token
          type: string
          required: true
      responses:
        401:
          description: Bad or expired token.
        403:
          description: Access denied not valid privilage in resurces
    settings:
      issueUri: https://www.dropbox.com/1/oauth/authorize
      scope: [read, create]

/some-resource:
  get:
    securedBy:
      - JWT: { scope: [ read ] }
    description: Retrieve Some Resource

When parsed, it gives error:

[
  {
    "code": "UNKNOWN_NODE",
    "message": "Unknown node: 'scope'",
    "path": "api.raml",
    "range": {
      "start": {
        "line": 23,
        "column": 15,
        "position": 530
      },
      "end": {
        "line": 23,
        "column": 20,
        "position": 535
      }
    },
    "isWarning": false
  }
]

Cannot find anything wrong with RAML, it seems parser contradicts description given in specification that it is possible to override security scheme parameter.

Answer 1 · 2018-04-09T10:48:31.000Z

Hi @vbartusevicius !

In fact, the field name is scopes, not scope
https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md#oauth-20

Please, let us know if you still have problems with it.

Regards,
Konstantin

Answer 2 · 2018-04-09T11:06:28.000Z

Sorry, @vbartusevicius

I have not noticed at first, that you're trying to use scope setting within a custom security scheme.
Raml does not support settings for custom security schemes, so, you have to somehow reimplement your security scheme as Oauth 2.0.

Answer 3 · 2018-04-09T13:13:39.000Z

@KonstantinSviridov - I thought about it, but haven't found it clearly stated that settings is not supported in custom scheme - https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#x-other

x- authentication methods do not have any specific settings defined, as the implementation of these methods is unknown as a standard to RAML.

It says there is no specific settings, by my understanding it means "no validation/use as you want".
If it's possible, could you explain it more clearly?

Answer 4 · 2019-09-25T09:48:32.000Z

Note that raml-js-parser-2 has been deprecated, the new official parser is webapi-parser. Feel free to attempt to reproduce this issue with webapi-parser and report any issue you may have on that repository.