KaiZen-OpenAPI-Editor icon indicating copy to clipboard operation
KaiZen-OpenAPI-Editor copied to clipboard
verified publisher icon RepreZen

Wrong error issued with OpenID Connect security schema

Open cvgaviao opened this issue 7 years ago • 6 comments

An OpenID Connect schema does require only two fields:

  securitySchemes:
    OpenIdC:  
      type: openIdConnect
      openIdConnectUrl: http://172.17.0.2:8080/.well-known/openid-configuration

Then in a Path we need to refer to a security schema using securitytag:

      security:
        - OpenIdC: 
          - admin   <------ error issued here

But editor is wrongly issuing an error as the schema were oAuth2: "admin" does not match any scope name defined in the OpenIdC security scheme.

cvgaviao avatar Mar 11 '19 18:03 cvgaviao

Any developer could comment this issue ?

cvgaviao avatar Apr 08 '19 12:04 cvgaviao

@cvgaviao , sorry for the delay. I have opened an issue here to get some clarification on the spec:

  • https://github.com/OAI/OpenAPI-Specification/issues/1889

These other open issues suggest that OpenAPI may still be trying to figure out how to model the complex relationship between OIDC and OAuth, and the meaning of the scopes array in Security Requirements Object:

  • https://github.com/OAI/OpenAPI-Specification/issues/1751
  • https://github.com/OAI/OpenAPI-Specification/issues/1393
  • https://github.com/OAI/OpenAPI-Specification/issues/1731

Maybe we'll see some refinements to this in future versions of the OpenAPI spec.

In the meantime, I think the safe thing to do is to limit the validation to apply only to security requirements for oauth2-typed security schemes. We will try to get this fix into the next patch release.

tedepstein avatar Apr 08 '19 13:04 tedepstein

@tedepstein, I'm wondering here... Wouldn't be possible the tool just to retrieve the scopes being provided by the openIdConnectUrl and validate against it? What I understood is that the OpenId discovery path "/.well-known/openid-configuration" is aimed for something like that and all OID providers exposes it.

don't you think?

cvgaviao avatar Apr 13 '19 02:04 cvgaviao

@cvgaviao , we would need to look more carefully at this. If this is required of all OID implementations, then it's possible to implement validation and/or code assist for OID scopes/roles.

For validation purposes, we generally don't rely on things outside of the OpenAPI document or the OpenAPI specification, unless it's directly referenced from the document as a $ref. So we'll be a bit cautious with this.

If you think validation and/or code assist for OID scopes would be valuable, could you please open a separate issue for it? I'd like to limit the scope of this issue to fixing the error condition.

tedepstein avatar Apr 13 '19 02:04 tedepstein

@tedepstein, for me actually just not throw an error when not providing a scope its ok for now.

But as I'm moving my application to OID, I investigated many OpenID Connect standard providers and all of then uses the /.well-known/openid-configuration

for example, take a look on the path provided by MS Azzure: https://login.windows.net/common/.well-known/openid-configuration

and for google: https://accounts.google.com/.well-known/openid-configuration

cvgaviao avatar Apr 13 '19 14:04 cvgaviao

Thanks for that info, @cvgaviao .

tedepstein avatar Apr 15 '19 11:04 tedepstein