Add global "security" section to swagger openapi schema #255
Conversation
Hopefully enables ApiKeyAuth for all endpoints for proper usage with OpenAPI Generator.
|
CLA Assistant Lite bot All contributors have signed the CLA βοΈ β |
|
I have read the CLA Document and I hereby sign the CLA |
holgerstolzenberg
force-pushed
the
feature/openapi-global-security-definition
branch
from
652e7f1
to
688e3bd
Compare
|
@holgerstolzenberg thank you for putting this up! It's definitely welcome.
|
|
Okay so I dug around and tried to understand how your At first, here is the documentation to the Swagger Authentication stuff, it provides all information that you need: Swagger Authentication v2 So for me it looks like if the change has to go to should do the trick and should be a low hanging fruit. I could try to provide a PR but maybe you are faster to try.... One hint: Starting with OpenAPI v3, new authentication options are present, like e.g. So how do we continue @tstirrat15 ? |
|
Another cool thing would be to have the final public openapi spec to be published to a more prominent location. |
|
@holgerstolzenberg any thoughts on a good place for that? We have a postman collection, perhaps? It's also available in the SpiceDB binary if you run |
|
Good question - never thought about that. A short lookup if there is such a thing like a public OpenAPI spec registry just revealed https://apis.guru, but I never used it on my own. So here is the thing. In the end the spec should be available from a public URL that is discoverable, _rememberable, versioned, etc. - it does not matter that much, where that then actually is. The Postman collection might be a good place, but I have no clue how publication works and if you can push your spec file there. In the end, you could also publish the spec file to your own domain, e.g. https://authzed.com/api/v1.1.0/openapi.spec π€·π»ββοΈ It is nice to get the spec from an running instance, but in terms of pipeline performance I will always rather rely on an public URL then on a docker image that I need to download and start with each pipeline run. It is like with any other dependency, I just want to consume that thing from somewhere (like a Java dep from Maven Central). Also, your Technically, it is totally fine to got to Long story short - a semantically or ideologically valid public location would be really nice π€© βοΈ |
SpiceDB does not use ApiKeyAuth authentication, but Bearer authentication, where the type of bearer token is an API Key. This was reported in authzed/authzed-go#255, indicating that folks generating code out of the OpenAPI definition will have errors because the generated error did not properly provide the preshared key with the expected `Authorization: Bearer <psk>` format. See https://swagger.io/docs/specification/v3_0/authentication/api-keys/ See https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/
SpiceDB does not use ApiKeyAuth authentication, but Bearer authentication, where the type of bearer token is an API Key. However, the OpenAPI v2 Spec, which is the one supported by grpc-gateway, does not support bearer authentication: https://swagger.io/docs/specification/v2_0/authentication/authentication/ Still, the grpc-gateway maintainers indicated in grpc-ecosystem/grpc-gateway#1089 that bearer is actually supported in grpc-gateway generator. This was reported in authzed/authzed-go#255, indicating that folks generating code out of the OpenAPI definition will have errors because the generated error did not properly provide the preshared key with the expected `Authorization: Bearer <psk>` format. I'm not 100% sure if this is a legit intermediate state between v2 and v3 we can leverage, but the current generated code is clearly broken anyway. See https://swagger.io/docs/specification/v3_0/authentication/api-keys/ See https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/
|
@holgerstolzenberg I've elaborated in authzed/api#121 what the fix could look like. Unfortunately I've opened #258 with the regenerated spec, would you mind giving it a go? It would be awesome also if you could share how to generate these: I think it would be interesting to provide these generate client libraries for other folks not relying on gRPC. |
|
@tstirrat15 - I have tested your changes and it is confirmed working, see following build: https://github.com/ewerk/authzed-http-client/actions/runs/11780525757/job/32811323020 Yet your change only changed the name of the authentication method. For the user in the end it still looks like this (as ApiClient getApiClient() {
final var client = new ApiClient(restClient, objectMapper, ApiClient.createDefaultDateFormat());
client.setBasePath("http://localhost:8443");
client.setApiKey(apiKey("AlsoLetMeInAgain"));
return client;
}For me this is okay as long as it works, but is also a bit confusing. I had already opened up a PR at The project |
|
@holgerstolzenberg I think you may have confused me with @tstirrat15. I opened a PR because I missed you have opened another PR. It's surprising to me that your proposal actually works unless there is some sort of plumbing in the generated With that said, I prefer your proposal because it's actually OpenAPI v2 compliant, whereas mine isn't. I'm just surprised it works, I can spend some cycles trying to understand how that works under the hood. |
|
@vroldanbet yes you are right, I confused you both. Why should my supposal not work, in the end it is just a name π€·π»ββοΈ. BTW - as said it is confirmed working. I do not think it is necessary for you to do more round trips, especially not if we stay on v2. So I would suggest you drop your draft PR and approve mine at |
@holgerstolzenberg as much as I appreciate the contribution and that it just works, SpiceDB does not officially support As you can see in // For backwards-compatibility, pass through 'authorization' header with no prefix.
if key == "Authorization" {
pairs = append(pairs, "authorization", val)
}So this only works if you prepend Now, armed with that information, we can make an informed decision. In light of SpiceDB using a code generator that complies with OpenAPI v2, and that I'd also propose adding a Thanks! |
|
closing in favor of authzed/api#120. Once that lands, we can regenerate the all the SDK. |
|
@holgerstolzenberg the newly-generated schema is available here: https://raw.githubusercontent.com/authzed/authzed-go/refs/heads/main/proto/apidocs.swagger.json Does that have the behavior you're looking for? |
π― Goal
Hopefully enables ApiKeyAuth for all endpoints for proper usage with OpenAPI Generator.
πββοΈ Situation
We are currently looking into SpiceDB as a go to option for authorization.
As of project constraints, we cannot rely upon gRPC and have to use the HTTP API.
π§ The problem
Working with the API via "simple" clients (e.g. curl) works, but for proper integration a pre packaged client SDK would be really nice. As I could not find such a thing, I started on creating my own using OpenAPI generator tooling, leveraging
https://github.com/authzed/authzed-go/blob/main/proto/apidocs.swagger.jsonspec file.The client generation in general works, but using it always caused an authentication exception, which was very strange.
After debugging through the OpenAPI generated code (Java), I realised the
ApiKeyAuthdoes not get applied, causing noAuthorizationheader to be sent.This is caused by the OpenAPI spec file not to be "precise" enough π
π The fix
I created a quick fix to the schema that fixes the issue by setting the security to be applied to
ApiKeyAuthfor all endpoints of the schema. The generated client (Java) is now confirmed to be working.It would be cool to have that merged to the upstream, yet there might be some open points:
β Open points
securityconfiguration section?