Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to define role/permission security in Swagger?

See original GitHub issue

In my API documentation, I would like to define the security necessary for each API endpoint. The project has defined roles and permissions that determine which users can access the APIs. What is the best way in Swagger to document this information? Is there a best practice or recommendation on how to show this detail?

This what I tried out using securityDefinitions and a self-defined variable for the roles, but that information (x-role-names) didn’t get copied over into the documentation when I ran it through swagger2markup or using swagger-ui.

    "securityDefinitions": {
    "baseUserSecurity": {
          "type": "basic",
          "x-role-names": "test"
       }
    }

What’s the best way to document the role and permission information per endpoint?

Issue Analytics

State:
Created 7 years ago
Reactions:5
Comments:8 (2 by maintainers)

Top GitHub Comments

6reactions

atdiffcommented, Oct 24, 2016

@fehguy After looking over the specs, I’m still not sure how to accomplish the ability to display the user roles/permissions required for an API and have that info appear in the resulting Swagger documentation. My ideal is for each path could indicate the user role and permissions required to access it. Basically something very roughly along the lines of “api/someCall” roles: [“admin”,“specialist”] and permissions: [“view_screen”, “edit_screen”].

There are 2 avenues I’ve tried at the moment:

Description field. Just listing the roles in the description field (not ideal and in some markup only gets displayed at the security section in the bottom)

"securityDefinitions": {
        "baseUserSecurity": {
          "type": "basic",
          "description": "Roles required: Admin, Specialist",
        }
    },

Description rendered:

Scope. Providing a scope for the security object. It’s not allowed in the spec and throws an error in the editor, but swagger2markup still allows and parses it. "security": [{"baseUserSecurity": ["Admin", "MarketSpecialist"]}],

Scope rendered:

Scope seems to fit better to some degree, but it goes against the spec which doesn’t seem like a good idea overall. So I’m not sure how this would best be documented.

5reactions

akongnwi02commented, Nov 28, 2019

Hi. How did you go about this issue?

Top Results From Across the Web

How to define role/permission security in Swagger

There is no standard way to represent roles in Swagger/OpenApi against basic authentication, so you are left using vendor-extensions (which ...

Authentication and Authorization - Swagger

Step 1. Defining securitySchemes ... All security schemes used by the API must be defined in the global components/securitySchemes section. This section contains ......

How to define role/permission security in Swagger - iTecNote

In my API documentation, I would like to define the security necessary for each API endpoint. The project has defined roles and permissions...

API Security in Swagger - codeburst

In OAS3, we can describe the API protection using the following security schemes: (1) HTTP authentication schemes using the Authorization header ...

Member Roles and Permissions | SwaggerHub Documentation

Change member roles via API ... Available for organizations on Enterprise and Enterprise Trials plans and for SwaggerHub On-Premise customers. The ...