spec-first
oauth2 authentication vs swagger ui
Description
Connexion oauth2 security scheme expects a Bearer token be passed in by the client/user. This token is passed to the method defined by the x-tokenInfoFunc parameter defined under Components: securitySchemes: in the openapi.yaml.
The ability to return a list of scopes from the x-tokenInfoFunc and use those scopes to determine access to API endpoints as defined by the security parameter in the openapi spec file is incredibly useful and highly functional.
However, the swagger UI interprets this oauth2 configuration as a more traditional oauth flow and prompts the user to enter client_id and client_secret in the "Authorize" UI widget. What is the expected way to get swagger to prompt for a Bearer token to tap into the connexion oauth process instead so that users can make use of the swagger UI?
I've tried adding an additional BearerAuth: section, and while this does cause Swagger to offer an additional Bearer token input, it also causes Connexion to throw many many errors about a missing x-bearerInfoFunc during startup.
Example openapi.yaml
security:
- BearerAuth: []
- okta: [read]
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
okta:
type: oauth2
flows:
authorizationCode:
authorizationUrl: none
tokenUrl: none
scopes:
read: grants access to read-only endpoints
write: grants access to write endpoints
admin: grants full access to all endpoints
x-tokenInfoFunc: auth.verify_token
