-
-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider having a pluggable Security mechanism (OAuth2, Basic Auth, ..) #124
Comments
I already thought it. This could be implemented with pkg_resources entrypoints. |
@jmcs can you give an example on how to do that? |
I am sorry, but I do not quite understand how I can use that in my case. I am rather new to this library and Python itself. Do you have some sort of guide to follow? |
I will implement the plugin system as soon as possible. When I'm done I'll provide an example on how to create a plugin. |
I don't know if it's relevant but i've added JWT as auth method for connexion, how can I share it? |
@KarimJedda Do you have it in a public repo where we could take a look? |
@KarimJedda, I need JWT as an auth method too. can you share what you've done? |
@jmcs , so you are suggesting that folks would write their custom security mechanism as a separate package? i will either be using or writing a JWT mechanism in the coming days, so if you have any suggestions I'm glad to think about them while working on this. |
@rafaelcaricio @dfeinzeig , I put an example up here https://github.com/KarimJedda/connexion_jwt_example , improve it and hack it and let's make a plug and play thing with it 💃 |
@KarimJedda , thank you! Looks like the flask-jwt package assumes that the flask app is also the source of issuing JWTs. A common case is using another service to issue JWTs, and using a flask/swagger-based service that does something, but using JWTs for auth. This is my need and the path I'm headed down now. I'll keep digging in and post PR when I have something and we can discuss it further then. |
@dfeinzeig you can also check our Plan B Token Info service which validates JWTs issued by Plan B Provider and provides a "traditional" OAuth Token Info endpoint: https://github.com/zalando/planb-tokeninfo The problem with validating self-contained JWTs directly is not having any revocation mechanism, Plan B Token Info provides that (checking tokens against revocation lists). |
I'll take a look at that, thanks. I believe it's fairly common to have relatively short expirations on JWTs, On Thu, Mar 17, 2016 at 11:44 AM, Henning Jacobs notifications@github.com
David Feinzeig Site: http://david.feinzeig.com |
For my use-case the example of @KarimJedda is perfect, in my swagger.yml I have:
however to make it work with flask-jwt, you need to customize swagger-ui/index.html
there is currently no clean way to make this customisation. |
@jmcs @rafaelcaricio @hjacobs Hi colleagues, wondering what you might want to do with this open issue. Looks like the previous commenter didn't get a direct response, at least not here? |
Doing this by looking at @KarimJedda's example proved super easy, even more with flask-jwt-extended which is a great library. However, the fact that I have to constantly add Bearer in the Authorize dialog, combined with the rather bad UI design, the reloading of the page, etc - means that the experience isn't very comfortable. @woutervh's hack helps a bit, but it is obviously not an option if you want to be based on the latest version of connexion and not your own fork (or even worse, editing files as part of your build process). Using JWT seems like a very common scenario, as are various non-Basic authentication schemes that use the
What do you think? |
@advance512 I'll have to look at |
I'll try and set up a PR. |
That would be fantastic! Right now we're using it at work to expose several machine learning models. The authentication is everytime a pain to setup. Especially when you're dealing with token refreshes and similar stuff. The solution i proposed is rather hacky and it requires doing @woutervh's trick for the UI part. |
FYI, I created pull request #390 adding support for x-authentication-scheme. |
Can we merge the PR in? |
Closing this because connexion 2.0 has support for the auth methods in the openapi3 spec, with pluggable auth/scope handler functions. Awesome work by @cziebuhr and @krise3k ! |
Connexion only supports simple OAuth 2 Bearer token lookups right now, we might consider having a more pluggable (but simple) mechanism which supports defining custom authentication/authorization functions for OpenAPI/Swagger security requirements.
Please note that users always can add custom mechanisms by decorating their handler functions (see https://github.com/zalando/connexion/blob/master/examples/basicauth/app.py), i.e. Connexion should only provide the convenience "glue" between OpenAPI-Spec and own functions.
The text was updated successfully, but these errors were encountered: