restish icon indicating copy to clipboard operation
restish copied to clipboard
verified publisher icon danielgtaylor

[Feature Req] Init auth from OpenAPI spec

Open byted opened this issue 8 months ago • 3 comments

Started using Restish recently and while I enjoy many things about it I'm surprised that I need to manually configure auth (e.g. OAuth2 Client Credentials flow) even though it is described via security schemas in the OpenAPI spec.

Is there a reason this was not added so far beyond simply nobody asking for it? :D If not I'm open to help out here.

byted avatar Apr 15 '25 00:04 byted

@byted there is some missing information in the OpenAPI so you would still need to fill things in, but I agree that this can certainly be improved.

Also take a look at https://rest.sh/#/openapi?id=autoconfiguration. A typical configuration I've used might look like this in the OpenAPI document (assuming Azure auth, but could also be Auth0 or other providers):

{
  "components": {
    "securitySchemes": {
      "oauth2": {
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://login.microsoftonline.com/your-app-uuid/oauth2/v2.0/authorize",
            "scopes": {
              "api://your-app-uuid/.default": "API access",
              "email": "Allows access to the user's email.",
              "offline_access": "Allows access to the user's offline data.",
              "openid": "Allows access to the user's identity.",
              "profile": "Allows access to the user's profile."
            },
            "tokenUrl": "https://login.microsoftonline.com/your-app-uuid/oauth2/v2.0/token",
            "x-usePkce": "SHA-256"
          }
        },
        "type": "oauth2"
      }
    }
  },
  "x-cli-config": {
    "security": "oauth2",
    "params": {
      "client_id": "your-client-uuid",
      "scopes": "openid profile email offline_access api://your-app-uuid/.default"
    }
  }
}

Then Restish will auto-configure itself for e.g. OAuth 2 Authorization Code with PKCE for user logins and you don't have to do anything except save & quit after the restish api configure $NAME $URL command.

danielgtaylor avatar Apr 17 '25 16:04 danielgtaylor

Sorry for the late reply. Your suggestion solved our use-case. While not optimal - we have to add x-cli-config - it works well for our use-case.

I'd still love to see the auth picked up automatically during configure flow but that's just a nice-to-have.

Thanks, great work!

byted avatar May 06 '25 16:05 byted

Another nice feature would be to exclude the authorization headers if the path is marked for no security in openapi:

/status:
  get:
    security: [] # No security

When the auth is configured in ~/.config/restish/apis.json it applies to all paths and I am not sure how to exclude it (or in my case not run the auth external-tool) for a particular path.

dcrawford1 avatar Aug 14 '25 00:08 dcrawford1