Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

security: add support for Authorization header with Bearer authentication scheme

See original GitHub issue

In Swagger 2.0 there is no way to tell that the apiKey can be given in the Authorization header using a given (non-Basic) authentication scheme. For example the Bearer scheme defined in RFC 6750 that is used for OAuth2 but could be used also for non-OAuth2 authentication.

Proposal: add the API Key location authorization in the Security Scheme Object:

{
    "type": "apiKey",
    "in": "authorization-header",
    "authenticationScheme": "Bearer"
}

Issue Analytics

State:
Created 8 years ago
Reactions:64
Comments:43 (13 by maintainers)

Top GitHub Comments

136reactions

dolmencommented, Feb 29, 2016

Yes, of course, the security scheme of Swagger 2.0 is insufficient.

The apiKey scheme with in set to header is designed for a custom header where the api key will be the whole value of the header. For example:

{
    "type": "apiKey",
    "in": "header",
    "name": "Authorization"
}

will send this:

Authorization: <apiKey>

I need this:

Authorization: Bearer <apiKey>

73reactions

basharovcommented, Dec 16, 2016

As a temporary solution that seems to work, at least to me, is to add "Bearer " prefix manually in the auth dialog of Swagger UI.

Top Results From Across the Web

Bearer Authentication - Swagger

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.

What is Bearer token and How it works? - DevOpsSchool.com

This is a single string which acts as the authentication of the API request, sent in an HTTP “Authorization” header. The string is...

How do I send a request with Authorization Bearer Header?

For security reasons, Bearer Tokens are only sent over HTTPS (SSL). Click Send to execute the Bearer Token Authorization Header example ...

Authorization - HTTP - MDN Web Docs - Mozilla

This header indicates what authentication schemes can be used to access the resource (and any additional information needed by the client to use ......

Authorize with a specific scheme in ASP.NET Core

Only one JWT bearer authentication is registered with the default authentication scheme JwtBearerDefaults.AuthenticationScheme . Additional ...