How do I hide the authorization security indicators for just one endpoint?
gdec31 opened this issue · comments
Hello,
I have a public API which is not subject to any authorization type.
**Step to reproduce **
- Select a public endpoint (You can found an extract of the schema below)
**Actual behavior **
- On the top right of endpoint page I have this :
**Expected behavior **
- Should display nothing
An extract of the schema : (there is no security part)
"/saml" : {
"get" : {
"tags" : [ "Server" ],
"summary" : "Get the SP metadata",
"description" : "Get the service provider metadata.",
"operationId" : "getSpMetadata",
"responses" : {
"200" : {
"description" : "Successful Operation",
},
"204" : {
"description" : "No content."
}, "500" : {
"description" : "Internal server error."
}
}
}
},``` 
I'm struggling to reproduce this, we'll need a full minimal reproduction spec in order to validate this. Can you share that?
Below a simple schema to reproduce the case.
I reproduce on https://authress-engineering.github.io/openapi-explorer/
{
"openapi" : "3.0.1",
"info" : {
"title" : "The REST API",
"description" : "Descr.",
"version" : "2",
"x-locale" : "en_US"
},
"servers" : [ {
"url" : "/api/"
} ],
"security" : [ {
"bearerAuth" : [ ]
}, {
"basicAuth" : [ ]
} ],
"tags" : [ {
"name" : "Server",
"description" : "The server API"
}],
"paths" : {
"/saml" : {
"get" : {
"tags" : [ "Server" ],
"summary" : "Get the SP metadata",
"description" : "Get the service provider metadata",
"operationId" : "getSpMetadata",
"responses" : {
"200" : {
"description" : "Successful Operation",
"content" : {
"application/xml" : { }
}
},
"204" : {
"description" : "No content."
},
"500" : {
"description" : "Internal server error."
}
}
}
}
},
"components" : {
"securitySchemes" : {
"bearer" : {
"type" : "http",
"scheme" : "bearer"
},
"basic" : {
"type" : "http",
"scheme" : "basic"
}
}
}
}Your spec doesn't make sense to me. You've defined two security schemes for your API:
bearerandbasic
"securitySchemes" : {
"bearer" : {
"type" : "http",
"scheme" : "bearer"
},
"basic" : {
"type" : "http",
"scheme" : "basic"
}
}But then you set your security for whole API to be two schemes that don't exist in your spec:
"security" : [ {
"bearerAuth" : [ ]
}, {
"basicAuth" : [ ]
} ],Of course the API would show that there are two schemes, and not know what to show there.
So you have two problems here.
1. First you want to fix your specified security for the whole api to be:
"security" : [ {
"bearer" : [ ]
}, {
"basic" : [ ]
} ],So that they match your schemes.
2. You want to remove the schemes for your API
To do that according to the OpenAPI specification, you can remove them by adding security: [] to the endpoints in question:
"paths" : {
"/saml" : {
"get" : {
"security" : [ ],
"tags" : [ "Server" ],
"summary" : "Get the SP metadata",
"description" : "Get the service provider metadata",
"operationId" : "getSpMetadata",
"responses" : {
"200" : {
"description" : "Successful Operation",
"content" : {
"application/xml" : { }
}
},
"204" : {
"description" : "No content."
},
"500" : {
"description" : "Internal server error."
}
}
}
}
},I simplify the schema and remove the others endpoints (100+).
But I have :
- one endpoint that use basic authentication
- one public endpoint (the previous example)
- the others use bearer authentication
But seems ok to just add "security" : [ ] like you describe.
Thanks !
I'm not following what the issue is honestly. In the first endpoint, set it to basic, in the second endpoint, set it an empty array, and at the top level set it to be an array with just the bearer type. That is the guidance from the Open API Initiative specification for how to implement your scenario.
The problem was on my side, I didn't have an empty array for the security field.
Sorry for the inconvenience.
no problem at all. Cheers.