Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

show only endpoint relevant oauth scopes in authorization window #8219

Closed
kai-morich opened this issue Oct 7, 2022 · 1 comment
Closed

show only endpoint relevant oauth scopes in authorization window #8219

kai-morich opened this issue Oct 7, 2022 · 1 comment

Comments

@kai-morich
Copy link
Contributor

Is your feature request related to a problem?

With the upper lock symbol, all possible authorizations are shown. Thats ok.
With the lower lock symbol, the authorizations are already filtered to the types supported by an endpoint, but for oauth, still all scopes are shown

image

Describe the solution you'd like

Should be reduced to the scopes specified at the endpoint (for below example should be admin only for the POST endpoint)

Additional context

minimalistic example:

openapi: 3.0.3
info:
 title: scope test
 version: 0.1.0
servers:
 - url: http://testserver.com
paths:
 /pet/:
   get:
     responses:
       '200':
         description: Successful Response
     security:
       - BasicAuth: []
       - OAuth2: [read] 
   post:
     responses:
       '200':
         description: Successful Response
     security:
       - OAuth2: [admin]
components:
 securitySchemes:
   BasicAuth:
     type: http
     scheme: basic
   OAuth2:
     type: oauth2
     flows:
       clientCredentials:
         tokenUrl: https://api.testserver.com/oauth2/token/
         scopes:
           admin: modify pets in your account
           read: read your pets
@kai-morich
Copy link
Contributor Author

There is a getDefinitionsByNames function that looks like it does filtering on oauth scopes.

swagger-ui/src/core/plugins/auth/selectors.js

Line 30 in 775d307

export const getDefinitionsByNames = ( state, securities ) => ( { specSelectors } ) => {

It was disabled with #3870, but that PR does not mention a concrete issue.
@shockey, @webron do you remember why?

@kai-morich kai-morich mentioned this issue Oct 14, 2022
Merged
17 tasks
tim-lai added a commit that referenced this issue Oct 24, 2022
@kai-morich @tim-lai
fix(oauth2): only display scopes relevant for current endpoint (#8229)
9457566 
* 'available authorization' popup: only show oauth2 scopes relevant for current endpoint (issue #8219)

* unit tests for oauth2 scope filter

Co-authored-by: Kai Morich <[email protected]>
Co-authored-by: Tim Lai <[email protected]>
@bnasslahsen bnasslahsen mentioned this issue Mar 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kai-morich