Support for scopes in scheme bearer
See original GitHub issueHi, JWT based access token (bearer) can contain scopes like read_pets, write_pets etc. that could be used to authorize an api request from an app. Why don’t Open API spec talk about scopes for scheme: bearer? Shouldn’t this be described in the spec as it is a widely used pattern for API authN & authZ?
e.g.
security:
- bearerAuth: [read:pets, write:pets]
/Vineeth
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Bearer Authentication - Swagger
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.
Read more >Verify scopes and app roles protected web API - Microsoft Entra
Verify scopes in APIs called on behalf of users. If a client app calls your API on behalf of a user, the API...
Read more >OAuth2 scopes - FastAPI
These scopes represent "permissions". In OpenAPI (e.g. the API docs), you can define "security schemes". When one of these security schemes uses OAuth2,...
Read more >How to manage OAuth 2.0 scopes - Connect2id
Give a name space for the scopes for each protected resource -- To make sure the scope values for two different resources don't...
Read more >JWT Bearer Authentication and Authorization for ASP.NET ...
... JWT Bearer authentication and authorization (based on scopes) for ... The helper can now be used to register an authentication service ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Unfortunately we can’t add examples of every combination of OAS feature. I’ll add one here when I get back to my desk.
Thanks — I think I’ve been a little confused by what I thought this was going to be.
Basically, a logged-in user has a role of
contributor
,editor
, oradmin
. A logged out user is treated as having the role ofanonymous
.I was hoping this would allow me to say that an API call is only available with a role of
editor
oradmin
, but it seems that the Security Requirement Object still uses AND rather than OR. I appreciate the issue tracker probably isn’t the best place for asking this, but is this possible with 3.1? If not, would it be worth making a feature request?