Forum Discussion

Herry's avatar
Herry
New Member
5 years ago

Swagger 2.0 apiKey authentication and scopes

Hi community,

 

I use this security definition in our project:

 

securityDefinitions:
  JwtBearerAuth:
    typeapiKey
    nameAuthorization
    inheader
    x-apikeyInfoFunc"services.token_service.verifyToken"
 
with the following endpoint:
 
paths:
  /secret:
    get:
      security:
        - JwtBearerAuth: []
      operationId"rest.user.secret"
      tags:
        - "User"
      summary"Testpage for authentication"
      description"Should only be accessible with a valid JWT token in the 'authorization' header"
      responses:
        '200':
          description"OK"
        '401':
          description"No or an invalid token was provided"
 
and I wanted to ask what the best way is, to achieve a form of role-management. For example i want to add the role-information in my endpoint, like roles: ["admin"]. Is this possible with this configuration?
 
Best Regards
 

1 Reply

  • HKosova's avatar
    HKosova
    Icon for Alumni rankAlumni
    5 years ago

    Hi Herry,

     

    The next version of the spec, OpenAPI 3.1 (which is in the RC stage now), will support defining roles for operations secured with API keys:

    paths:
  /secret:
    get:
      security:
        - JwtBearerAuth: [admin]   # <-----

     

    In OpenAPI 2.0 and 3.0, you can mention these roles in the operation descriptions.