Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: Using Multiple Authentication Types #1298

Open
utherbit opened this issue Aug 17, 2024 · 2 comments
Open

security: Using Multiple Authentication Types #1298

utherbit opened this issue Aug 17, 2024 · 2 comments
Labels
enhancement New feature or request openapi-features OpenAPI features support issues

Comments

@utherbit
Copy link
Contributor

Description

My API needs multiple authentication keys at once. I can achieve this using middleware, but I have to create a blank SecurityHandler. It would be cool if the SecurityHandler provided me with key combinations.

Currently, SecurityHandler only supports the "or" option from the example below.

Desired result:
For the second example, you need to generate one SecurityHandler method, not two.
For the third example - two methods, not 4

References

https://swagger.io/docs/specification/authentication/
scroll to "Using Multiple Authentication Types"

Some REST APIs support several authentication types. The security section lets you combine the security requirements using logical OR and AND to achieve the desired result. security uses the following logic

security:    # A OR B
  - A
  - B
security:    # A AND B
  - A
    B
security:    # (A AND B) OR (C AND D)
  - A
    B
  - C
    D
@utherbit utherbit added enhancement New feature or request openapi-features OpenAPI features support issues labels Aug 17, 2024
@tdakkota
Copy link
Member

To generate a method, ogen needs a method name. What name should be used? Handle<A><B> does not sound great, especially if there is more than two security requirements and each one have name longer than one letter.

Also, this is become pretty complicated, since each operation in the spec may have its own set of security requirements.

Currently, SecurityHandler only supports the "or" option from the example below.

No, ogen checks whether if it is A and B or C and D. But if you want to pass some data from security handler, you need to pass it through context.Context .

@utherbit
Copy link
Contributor Author

You are right, the method name will be long. Now the signature of the security methods will go beyond the boundary, it will be even worse.

In this form it is really not an easy task.

However, I do not like the idea of ​​passing through the context, I wrote my http middleware over ogen to not pass the authentication data through the context, because in this case it is not obvious to me at what point the information collection will end and it will be possible to start processing it, unless in the middleware that will be executed after the security handler.

Since I wrote my middleware for authorization, I will have to implement a dummy SecurityHandler, since it is mandatory.

I like the logic that currently checks authentication (with a bitmap). But I think it is enough that it checks for the presence of the required headers.

I have an idea, which is probably not the best. Maybe it would be more convenient to make one handler for all authentication methods? I see this as a ServerOption similar to WithErrorHandler or WithNotFound eg WithAuthenticationHandler

Changes to this logic will be critical in any case, so I don't expect a decision to be made anytime soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request openapi-features OpenAPI features support issues
Projects
None yet
Development

No branches or pull requests

2 participants