security: add support for Authorization header with Bearer authentication scheme #583
Comments
|
are you saying that the is insufficient? |
|
Yes, of course, the security scheme of Swagger 2.0 is insufficient. The will send this: I need this: |
|
+1, I'm using JWT and I'd need the same thing |
|
+1 in addition to using JWT |
|
Parent issue #585 |
|
+1 |
1 similar comment
|
+1 |
|
+1 for JWT support. But I would prefer something like "type": "jwt" as this gives more info about the type of authentication. |
|
Here is a related approach to add JWT support into Swagger UI project swagger-api/swagger-ui#2234. |
|
@cbornet This issue is not just about JWT. |
|
Does it make sense to put in a template? Template eg: type: apiKey,
in: header,
name: Authorization
template: "Bearer {apiKey}"Conversely, we could just have... type: bearer
# in header, implied
# name Authorization, implied
# Con: a little terse |
|
@ponelat wrote:
Swagger implementations have already too many security holes that allow code injection. No need to add one more vector with templated content. |
|
@dolmen ??? I have to assume you're not being serious |
|
+1 for bearer token authorization support |
2 similar comments
|
+1 for bearer token authorization support |
|
+1 for bearer token authorization support |
|
Just a note, you don't have to write just a +1 comment, you can add your vote to other people's comments using the reaction button (" + 😀") on the top left of the comment. |
|
Kinda wish github added proper voting mechanism instead of the reaction button. |
|
Any update on this feature ? Any way to use "Bearer TOKEN" in the Authorization header ? |
|
as @lucj asked: any news ? I've just hit this barrier :( |
|
It is on our backlog. We haven't forgotten. It just hasn't bubbled to the top of the list yet. |
|
/me turns the heat to "high", hoping it bubbles more ;) Thanks for the quick response |
|
@jmls :-) Unfortunately, no matter how fast we get it into the 3.0 spec, there is still the "tooling needs to start supporting 3.0" delay. |
|
Oddly enough, it looks like if I define then within each "api" I have and for each endpoint I haven't gotten round to testing just yet, but the generated code seems to solve my issues ;) |
|
I have attempted to address the missing support for bearer/JWT in this PR #807 Feedback encouraged. I'm not a fan of the |
|
+1 for Bearer 👍 |
|
+1 for Bearer support |
1 similar comment
|
+1 for Bearer support |
|
+1 for Bearer |
|
As a temporary solution that seems to work, at least to me, is to add "Bearer " prefix manually in the auth dialog of Swagger UI.
|
|
+1 for Bearer |
|
+1 for JWT Bearer token |
|
Need. JWT. Please. |
|
@CollinGraves it will be supported in 3.0 through #818 |
|
+1 for JWT Bearer |
|
Already added, no need to +1 here :) |
|
I got error, I try to install the swagger but it error about $urltoDoc,.... in views/vendor/l5-swagger.index.blade.php. Please kindly help! Thanks! Message error: below is the error msg. |
|
@ratanakpek please note that this repository is about the OpenAPI specification, not any specific implementation. This issue specifically is about the next version of OpenAPI, for which there are no implementations yet. |
|
Is it possible now to have the apikey using the Bearer authentication?
|
|
Yes, in v3.0 - see this example. You can omit the Note that |
|
@MikeRalphson with: I get: "User Warning: @OA\SecurityScheme() is missing key-field: "securityScheme"" |
|
@twitnic that sounds like a problem with a specific tool, not with the specification itself. |
and others
In Swagger 2.0 there is no way to tell that the apiKey can be given in the
Authorizationheader using a given (non-Basic) authentication scheme. For example theBearerscheme defined in RFC 6750 that is used for OAuth2 but could be used also for non-OAuth2 authentication.Proposal: add the API Key location
authorizationin the Security Scheme Object:{ "type": "apiKey", "in": "authorization-header", "authenticationScheme": "Bearer" }The text was updated successfully, but these errors were encountered: