quarkus.smallrye-openapi does not support SecurityScheme of type apiKey

[eska-muc]

Describe the bug

For an integration with AWS API Gateway I'd like to configure the required values for the openapi.yaml respectively openapi.json as described by AWS. This requires type "apiKey" which is specified for OpenAPI 3.0.3 (see OpenAPI 3.0.3 specification)

However, when I use the property quarkus.smallrye-openapi.security-scheme, it does not support apiKey.

Therefore, I use microprofile annotations, for configuring the SecurityScheme:

@Path("/hello")
@SecurityScheme(securitySchemeName = "my-security-scheme",
type=SecuritySchemeType.APIKEY,in=SecuritySchemeIn.HEADER,
extensions = { @Extension(name="x-amazon-apigateway-authorizer",value = Constants.PAYLOAD, parseValue=true)})
public class GreetingResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @SecurityRequirement(name="my-security-scheme")
    public String hello() {
        return "Hello from RESTEasy Reactive";
    }
}

This works quite good, and produces the following openapi.yaml

---
openapi: 3.0.3
info:
  title: Problem Report
  description: OpenAPI Security Scheme type apiKey is not supported by quarkus.smallrye-openapi
  version: 1.0.0-SNAPSHOT
servers:
- url: http://localhost:8080
  description: Auto generated value
- url: http://0.0.0.0:8080
  description: Auto generated value
paths:
  /hello:
    get:
      tags:
      - Greeting Resource
      responses:
        "200":
          description: OK
          content:
            text/plain:
              schema:
                type: string
      security:
      - my-security-scheme: []
components:
  securitySchemes:
    my-security-scheme:
      type: apiKey
      in: header
      x-amazon-apigateway-authorizer:
        payloadFormatVersion: "1.0"
        connectionId: ARN
    SecurityScheme:
      type: http
      description: Authentication
      scheme: basic

The problem here is: There is an additional security scheme with the default name "SecurityScheme" and the default scheme "basic" added.

I could not find a way how to suppress the generation of the default scheme "SecurityScheme"

Expected behavior

quarkus.smallrye-openapi.security-scheme should support type "apiKey" as specified in OpenAPI 3.0.3 specification

AND

When using the Annotation org.eclipse.microprofile.openapi.annotations.security.SecurityScheme no default security scheme "SecurityScheme" should be generated in the openapi.yaml

Actual behavior

With the properties (using config-yaml extension) like this:

quarkus:
  smallrye-openapi:
    info-title: Problem Report
    info-description: OpenAPI Security Scheme type apiKey is not supported by quarkus.smallrye-openapi
    security-scheme: apiKey
    store-schema-directory: target/generated

the build fails:
[ERROR] Failed to execute goal io.quarkus.platform:quarkus-maven-plugin:3.0.2.Final:build (default) on project openapi-issue: Failed to build quarkus application: SRCFG00039: The config property quarkus.smallrye-openapi.security-scheme with the config value "apiKey" threw an Exception whilst being converted Cannot convert apiKey to enum class io.quarkus.smallrye.openapi.common.deployment.SmallRyeOpenApiConfig$SecurityScheme -> [Help 1]
With the workaround (as described above) an unwanted default security scheme is created

How to Reproduce?

Problem 1 (apiKey not supported)

• Create a new quarkus project
• Add extensions:
  • smallrye-openapi
  • config-yaml (optional)
• add property: quarkus.smallrye-openapi.security-scheme=apiKey

Build (mvn package -DskipTests) will fail

Problem 2 (additional unwanted default security scheme):

• Create a new quarkus project
• Add extensions:
  • smallrye-openapi
• Add annotations to GreetingsResource:

@Path("/hello")
@SecurityScheme(securitySchemeName = "my-security-scheme",
type=SecuritySchemeType.APIKEY,in=SecuritySchemeIn.HEADER,
extensions = { @Extension(name="x-amazon-apigateway-authorizer",value = Constants.PAYLOAD, parseValue=true)})
public class GreetingResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @SecurityRequirement(name="my-security-scheme")
    public String hello() {
        return "Hello from RESTEasy Reactive";
    }
}

Class Constants.java:

package org.acme;

public class Constants {
    public final static String PAYLOAD = "{\"payloadFormatVersion\":\"1.0\",\"connectionId\":\"ARN\"}";
}

Result: openapi.yaml created with additional security scheme
openapi-issue.tar.gz

Output of uname -a or ver

Linux HOSTNAME 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "17.0.6" 2023-01-17

GraalVM version (if different from Java)

No response

Quarkus version or git rev

3.0.2.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.8

Additional information

Same behavior with Quarkus 2.16.6.Final and Java 11 in Windows 10

[quarkus-bot]

/cc @EricWittmann (openapi), @Ladicek (smallrye), @MikeEdgar (openapi), @jmartisk (smallrye), @phillip-kruger (openapi,smallrye), @radcortez (smallrye), @sberyozkin (security)

[MikeEdgar]

Thank you for the detailed report. I'll take a look at this.

[MikeEdgar]

Note that with the linked PR, you would still need to set quarkus.smallrye-openapi.auto-add-security=false in the case where only annotations are being used.