openapi-to-postman
openapi-to-postman copied to clipboard
postmanlabs
Postman is unable to import OpenApi 3 with multiple API keys
We have an OpenApi 3 collection with multiple API keys, as described at the following link under the paragraph "multiple API keys": https://swagger.io/docs/specification/authentication/api-keys/
When importing this, it is expected that the various endpoints will have both headers (in our case, x-api-key and x-api-secret).
Feeding the same OpenApi file to ReDoc, both authentication headers are correctly recognised:
However, when importing into Postman, only x-api-key is present in the imported collection, while the header x-api-secret has to be created manually.
So it seems that the feature "Multiple API Keys" that is part of the OpenAPI 3 spec, is not implemented yet in Postman https://swagger.io/docs/specification/authentication/api-keys/
Using Postman Version 9.12.2 (9.12.2) for MacOS Arm64 On Mac OS Monterey On MacBook Air M1
(my colleagues reproduced the same issue on Monterey on Mac Intel, on Win 10 and on Win 11)
@mastazi Thank you for reaching out.
This is a known limitation and we are aware the behavior. The issue with having multiple API Key is that Postman Collection doesn't support having multiple authorization for a Request or even for the entire collection.
If things are added on the global level those are added to the collection level auth and if it is present at the path level it is added to the request. But if there are multiple we pick the first one only.
One possible workaround we could do is add the other API key in your case as a separate header but that will be a temporary fix. Would love to hear your thoughts around this and if you have any suggestions on how this can be handled?
Postman Collection doesn't support having multiple authorization
Hi @umeshp7 thank you for your response. My initial instinct (and I say that as someone who is not familiar with this codebase) is that the problem could be resolved by parsing security rather than components.securitySchemes, the reason I say that, is that according to the OpenAPI 3 specs, when we want to use multiple API keys, all keys must be under the same array element. So they are grouped into one single element not multiple ones.
The docs at https://swagger.io/docs/specification/authentication/api-keys/ even make the difference clear by saying that this is the correct form:
security:
- apiKey: []
appId: [] # <-- no leading dash (-)
while this is incorrect:
security:
- apiKey: []
- appId: []
or in case you prefer JSON, this is correct (note how the array has one element only):
"security": [
{
"apiKey": [],
"appId": []
}
]
and this is incorrect (note that the array has two elements in this incorrect version)
"security": [
"apiKey": [],
"appId": []
]
@mastazi
security:
- apiKey: []
- appId: []
Is not incorrect, it just means you as a client can choose which one you want to use. https://swagger.io/docs/specification/authentication/#multiple
@AlexKotsc yeah, I meant incorrect from the point of view of achieving an AND as opposed to an OR.
The example you made is an OR but in our case we need an AND. Thank you for clarifying.
@umeshp7 Is there any further update on support for multiple AND keys in Postman?
It's critical for a project I'm currently working on, and will have to look into different tooling if this is the case. Thanks.
We are looking to ship this improvement by the end of Feb 2023. I will keep this ticket updated 🙇♂
We are looking to ship this improvement by the end of Feb 2023. I will keep this ticket updated 🙇♂
Amazing! Thank you so much.
@md250721 we are still working on this change. The tentative timeline for this fix to land is April 2023 end. I will keep this thread update 🙇♂️
Hi @akshaydeo, I see this was being implemented earlier this year, are there any updates as it seems to still be an issue
Hi all, with a few high-priority changes, we de-prioritised this change. We will pick it up again and plan for Nov 2023 release. I will keep this thread updated. Apologies for the delay 🙇♂️