vertx-web
vertx-web copied to clipboard
vert-x3
OpenAPI 3.1
OpenAPI 3.1 is out, we need to support it https://www.openapis.org/blog/2021/02/16/migrating-from-openapi-3-0-to-3-1-0
The vertx-json-schema package already supports the latest json schema Draft 2019-09, so we need to just wire it up with vertx-web-openapi
Security wise http security may use the scope list as roles required for execution. This means we need to be able to link both authentication with authorization.
While in oauth2/oidc scopes are more or less easy to handle as they are returned as part of the token exchange, for http and bearer token authentication the scope/role may be anywhere in the token which may require custom handlers.
Probably we should issue a warning during buildRouter() when http security schema is used with scopes. In that case we log as a WARNING that it's the user's responsibility to assert that the role/scope is present.
Assertion should be trivial as the user can use the authz framework and should have the knowledge which kind of authz is needed and which provider.
This issue addresses the "scope" support for bearer authn: https://github.com/vert-x3/vertx-web/pull/1929 This issue ensures that chain will work with any combinations: https://github.com/vert-x3/vertx-web/pull/1930
@pmlopes @slinkydeveloper
Greetings
Sorry about the double ping, but this is a blocking issue at one of my pet projects. Is there any issue I could help with?
@LouizFC the required changes on jwt/oauth2 are already merged to the main development branch. I'm planning to start implementing the oidc improvement discussed in: https://github.com/vert-x3/vertx-web/issues/1858
So this will implement the required changes regarding security. After this, we still need to work the remaining changes which are more now level, like the "everything is a jsonschema now".
All security related tasks have been merged. We shall now focus on the yaml/schema changes
@pmlopes does this includes draft 2020-12 support? I think I could help with that.
Taking a brief look, vertx json schema implementation already uses a pseudo-vocabulary for OpenAPI (I took a brief look, I could be wrong), I will further investigate and see if I can help.
@LouizFC I don't think so. All json schema support is handled in another repo:
https://github.com/eclipse-vertx/vertx-json-schema
If you want to help, please checkout that code and implement a pull request for the latest spec.
Depends (maybe) on: https://github.com/eclipse-vertx/vertx-json-schema/issues/43
We now have support for openapi 3.1 in the new module vertx-web-openapi-router
this is marked to be delivered in 4.4.1 and even docs say that OpenAPI 3.1 is supported, however the class io.vertx.ext.web.openapi.impl.OpenAPIHolderImpl from vertx-web-openapi still throws following exception while trying to parse a spec file with version 3.1:
ValidationException{message='provided string should respect pattern ^3\.0\.\d(-.+)?$', keyword='pattern', input=3.1.0, schema=io.vertx.json.schema.common.SchemaImpl@5aceec94, inputScope=#/openapi}
at io.vertx.json.schema.ValidationException.create(ValidationException.java:85)
at io.vertx.json.schema.common.PatternValidatorFactory$PatternValidator.validateSync(PatternValidatorFactory.java:55)
at io.vertx.json.schema.common.SchemaImpl.runSyncValidator(SchemaImpl.java:193)
at io.vertx.json.schema.common.SchemaImpl.validateSync(SchemaImpl.java:128)
at io.vertx.json.schema.common.PropertiesValidatorFactory$PropertiesValidator.validateAsync(PropertiesValidatorFactory.java:166)
at io.vertx.json.schema.common.SchemaImpl.runAsyncValidators(SchemaImpl.java:173)
at io.vertx.json.schema.common.SchemaImpl.validateAsync(SchemaImpl.java:121)
at io.vertx.json.schema.common.SchemaImpl.validateAsync(SchemaImpl.java:48)
at io.vertx.ext.web.openapi.impl.OpenAPIHolderImpl.lambda$loadOpenAPI$2(OpenAPIHolderImpl.java:88)
at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38)
... 22 more
