swagger-core icon indicating copy to clipboard operation
swagger-core copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

How do we define authorization in spec?

Open SpecialYang opened this issue 1 year ago • 0 comments

According to the official documentation, the current Swagger API standards only support authentication, not authorization.

For example, with API-Key authentication, we can define authentication policy with API-Key at the API or Operation level, but we cannot specify which API-Key can access a particular operation. How should we use API-Key for authorization?

openapi: 3.0.0
...
# 1) Define the key name and location
components:
  securitySchemes:
    ApiKeyAuth:        # arbitrary name for the security scheme
      type: apiKey
      in: header       # can be "header", "query" or "cookie"
      name: X-API-KEY  # name of the header, query parameter or cookie
# 2) Apply the API key globally to all operations
security:
  - ApiKeyAuth: []

Can we allow specific api-keys which can access one api? From a security perspective, perhaps we can reference a secret or a configuration center in the spec for whitelisted API-Key discovery?

SpecialYang avatar Jul 31 '24 02:07 SpecialYang