Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No Security for a sub path #1278

Closed
gokulkulkarni1987 opened this issue Jul 18, 2017 · 3 comments
Closed

No Security for a sub path #1278

gokulkulkarni1987 opened this issue Jul 18, 2017 · 3 comments
Labels
security: access ctrl Permissions and controls distinct from authentication security

Comments

@gokulkulkarni1987
Copy link

I have the following spec,

# [START swagger]
swagger: "2.0"
info:
  description: "A simple Google Cloud Endpoints API example."
  title: "Endpoints Example"
  version: "1.0.0"
# [END swagger]
# For App Engine deployments, delete the above "host:" line and remove the "# "
# from the following line. Then change YOUR-PROJECT-ID to your project id.
host: "<Hostname>"
basePath: "/"
consumes:
- "application/json"
produces:
- "application/json"
schemes:
- "https"
paths:
  "/users/{latitude}/{longitude}":
    get:
      description: List of users
      operationId: fetchusers
      produces:
        - application/json
        - application/xml
        - text/xml
        - text/html
      parameters:
        - name: latitude
          in: path
          description: Latitude component of location.
          required: true
          type: number
          format: double

        - name: longitude
          in: path
          description: Longitude component of location.
          required: true
          type: number
          format: double

      responses:
        '200':
          description: List of nearest users
          schema:
            $ref: '#/definitions/users'
        default:
          description: unexpected error
          schema:
            $ref: '#/definitions/errorModel'
      security:
        - firebase: []

  "/users":
    get:
      description: List of users
      operationId: fetchAllusers
      produces:
        - application/json
      parameters:
      - description: "users List"
        in: body
        name: message
        required: true
        schema:
          $ref: "#/definitions/echoMessage"
      responses:
        '200':
          description: List of nearest users
          schema:
            $ref: '#/definitions/users'
        default:
          description: unexpected error
          schema:
            $ref: '#/definitions/errorModel'
      security:
        - firebase: []
  "/users/search":
    post:
      description: "Search users"
      operationId: "searchusers"
      produces:
      - "application/json"
      responses:
        200:
          description: "users List"
          schema:
            $ref: "#/definitions/echoMessage"
      parameters:
      - description: "Search Criteria"
        in: body
        name: message
        required: true
        schema:
          $ref: "#/definitions/echoMessage"
      security:
        - firebase: []
  "/auth/info/googlejwt":
    get:
      description: "Returns the requests' authentication information."
      operationId: "auth_info_google_jwt"
      produces:
      - "application/json"
      responses:
        200:
          description: "Authenication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
      - google_jwt: []
  "/auth/info/googleidtoken":
    get:
      description: "Returns the requests' authentication information."
      operationId: "authInfoGoogleIdToken"
      produces:
      - "application/json"
      responses:
        200:
          description: "Authenication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
      - google_id_token: []
definitions:
  echoMessage:
    properties:
      message:
        type: "string"
  authInfoResponse:
    properties:
      id:
        type: "string"
      email:
        type: "string"
# This section requires all requests to any path to require an API key.
security:
- api_key: []
securityDefinitions:
  # This section configures basic authentication with an API key.
  api_key:
    type: "apiKey"
    name: "key"
    in: "header"
  # This section configures authentication using Google API Service Accounts
  # to sign a json web token. This is mostly used for server-to-server
  # communication.
  google_jwt:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    # This must match the 'iss' field in the JWT.
    x-google-issuer: "jwt-client.endpoints.sample.google.com"
    # Update this with your service account's email address.
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
    # This must match the "aud" field in the JWT. You can add multiple
    # audiences to accept JWTs from multiple clients.
    x-google-audiences: "echo.endpoints.sample.google.com"
  # This section configures authentication using Google OAuth2 ID Tokens.
  # ID Tokens can be obtained using OAuth2 clients, and can be used to access
  # your API on behalf of a particular user.
  google_id_token:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
    # Your OAuth2 client's Client ID must be added here. You can add
    # multiple client IDs to accept tokens from multiple clients.
    x-google-audiences: "YOUR-CLIENT-ID"
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/<PROJECT-ID>"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
    x-google-audiences: "<PROJECT-ID>"

And there will much more services. As you can see I have put various security definitions. I will be using different security definition for different path. By default I want to enable api_key for all paths, but I want to disable this security for some paths how can I achieve that?

@darrelmiller
Copy link
Member

darrelmiller commented Jul 18, 2017

You can create a "security" array in each operation object to override the security array at the root. It does not inherit, so you will need to re-specify the api-key scheme for each operation.
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#operation-object

@MikeRalphson
Copy link
Member

See this comment for an example of overriding a default set of security requirements at the per-operation level, including a 'null' requirement {} to mean no security is required.

@handrews
Copy link
Member

Question answered years ago with no further replies, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security: access ctrl Permissions and controls distinct from authentication security
Projects
None yet
Development

No branches or pull requests

4 participants