Forum Discussion

Herry's avatar
Herry
New Member
5 years ago

Swagger 2.0 apiKey authentication and scopes

Hi community,

 

I use this security definition in our project:

 

securityDefinitions:
  JwtBearerAuth:
    typeapiKey
    nameAuthorization
    inheader
    x-apikeyInfoFunc"services.token_service.verifyToken"
 
with the following endpoint:
 
paths:
  /secret:
    get:
      security:
        - JwtBearerAuth: []
      operationId"rest.user.secret"
      tags:
        - "User"
      summary"Testpage for authentication"
      description"Should only be accessible with a valid JWT token in the 'authorization' header"
      responses:
        '200':
          description"OK"
        '401':
          description"No or an invalid token was provided"
 
and I wanted to ask what the best way is, to achieve a form of role-management. For example i want to add the role-information in my endpoint, like roles: ["admin"]. Is this possible with this configuration?
 
Best Regards
 
  • HKosova's avatar
    HKosova
    SmartBear Alumni (Retired)

    Hi Herry,

     

    The next version of the spec, OpenAPI 3.1 (which is in the RC stage now), will support defining roles for operations secured with API keys:

    paths:
      /secret:
        get:
          security:
            - JwtBearerAuth: [admin]   # <-----

     

    In OpenAPI 2.0 and 3.0, you can mention these roles in the operation descriptions.