Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Definition and Assignment of OAuth Scopes #221

Open
SebastianKotstein opened this issue Sep 18, 2019 · 1 comment
Open

Definition and Assignment of OAuth Scopes #221

SebastianKotstein opened this issue Sep 18, 2019 · 1 comment

Comments

@SebastianKotstein
Copy link

I use OAuth 2.0 'password' and 'client_credentials' grant type to limit access to my API. For the sake of simplification, let's say we have two operations (i.e. API endpoints), where the first operation should be assigned with the scope 'read' and the second operation with the scope 'write'.

As far as I understand, I have to annotate the first operations with the following security tags:

///<security type="oauth2" name="oauth">
///     <description>...</description>
///     <scheme>bearer</scheme>
///     <bearerFormat>JWT</bearerFormat>
///     <flow type="password">
///         <authorizationUrl>...</authorizationUrl>
///         <tokenUrl>...</tokenUrl>
///          <scope name="read">
///               <description>...</description>
///          </scope>
///     </flow>
///     <flow type="clientCredentials">
///         <authorizationUrl>...</authorizationUrl>
///         <tokenUrl>...</tokenUrl>
///         <scope name="read">
///              <description>...</description>
///         </scope>
///     </flow>
///</security>
public void Operation1(...){...}

and the second operation with:

///<security type="oauth2" name="oauth">
///     <description>...</description>
///     <scheme>bearer</scheme>
///     <bearerFormat>JWT</bearerFormat>
///     <flow type="password">
///         <authorizationUrl>...</authorizationUrl>
///         <tokenUrl>...</tokenUrl>
///          <scope name="write">
///               <description>...</description>
///          </scope>
///     </flow>
///     <flow type="clientCredentials">
///         <authorizationUrl>...</authorizationUrl>
///         <tokenUrl>...</tokenUrl>
///         <scope name="write">
///              <description>...</description>
///         </scope>
///     </flow>
///</security>
public void Operation2(...){...}

However, the security declaration for the second operation is completely ignored.
Therefore, I assume that the security schema with all available scopes can only be defined once (but where?) and that there is another mechanism for assigning specific scopes to operations. Unfortunately, the wiki does not provide any example explaining the assignment of multiple scopes of the same security schema to multiple operations.
@Shwetap05
Copy link
Member

@sebi91 I will investigate and get back on this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SebastianKotstein @Shwetap05