Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [Authentication] OR'ing duplicate authMethods #6833

Open
5 of 6 tasks
nhomble opened this issue Jul 1, 2020 · 2 comments
Open
5 of 6 tasks

[BUG] [Authentication] OR'ing duplicate authMethods #6833

nhomble opened this issue Jul 1, 2020 · 2 comments
Labels
Issue: Bug

Comments

@nhomble
Copy link
Contributor

nhomble commented Jul 1, 2020
edited
Loading

Bug Report Checklist

  • Have you provided a full/minimal spec to reproduce the issue?
  • Have you validated the input using an OpenAPI validator (example)?
  • What's the version of OpenAPI Generator used?
  • Have you search for related issues/PRs?
  • What's the actual output vs expected output?
  • [Optional] Bounty to sponsor the fix (example)
Description

Based off discussion in the spec in here and the Use Multiple Authentication Types section, I should be able to reuse authMethods in the security section of my path.

openapi-generator version

Off master

OpenAPI declaration file content or url

https://github.com/nhomble/repro-multiple-authmethods

components:
  securitySchemes:
    myAuth:
      type: oauth2
      flows:
        authorizationCode:
          scopes:
            read: ability to read
            write: ability to write
            pet: ability on pet
paths:
  /pets
    get:
      summary: get pets
      security:
        - myAuth: [ read, pet ]
        - myAuth: [ write, pet ] # if you can update we'll let you read too
Command line used for generation

The investigation has lead me to the generator, but I was reproducing this off of tests in SpringCodegenTest

Steps to reproduce
  1. define oauth2 scopes in security schemes
  2. use the same securityScheme on an api (with different scopes)
  3. Eval the spring code generator
  4. notice how we lose reference in the swagger annotations

And this has caused issues for me in #6358

Suggest a fix

Debugging has brought us to the line

Map<String, SecurityScheme> authMethods = getAuthMethods(securities, securitySchemes);

in DefaultGenerator.java

the loops blindly put auth methods into the authMethods map by name even if the key exists. Maybe we need to consider accumulating collisions in the value and then iterate later in generation.
@nhomble nhomble mentioned this issue Jul 2, 2020
Open
5 tasks
@nhomble
Copy link
Contributor Author

nhomble commented Jul 4, 2020

Would love feedback on this since I am not sure of all the consideration it takes to make a deep generator change like this. I doubt the List<CodegenSecurity> authMethods in CodegenOperation will be able to represent the ORs, and I would like to add a new field that houses the actual auth requirements on a method.

@bilak
Copy link
Contributor

bilak commented Oct 16, 2020

Would you be able to work on this? I can see that you also prepared MR for spring security so I'd be glad to help you with this if possible.

@bilak bilak mentioned this issue Nov 12, 2020
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nhomble @bilak