How to define role/permission security in Swagger

swagger swagger-ui swagger-2.0
14,578

If your API uses oAuth authentication, you can use scopes for this. There is no standard way to represent roles in Swagger/OpenApi against basic authentication, so you are left using vendor-extensions (which the tools such as Swagger-UI or swagger2markup have no way of interpreting, as you have found), or including the information as text in summary or description properties.

You could define multiple securityDefinitions all of type basic and use one per role but this is a bit of a hack.

See also this issue https://github.com/OAI/OpenAPI-Specification/issues/1366 for a proposal to widen the use of scopes to other security schemes.

Share:
14,578

Related videos on Youtube

whatsTheDiff
Author by

whatsTheDiff

Updated on September 15, 2022

Comments

  • whatsTheDiff
    whatsTheDiff over 1 year

    In my API documentation, I would like to define the security necessary for each API endpoint. The project has defined roles and permissions that determine which users can access the APIs. What is the best way in Swagger to document this information? Is there a best practice or recommendation on how to show this detail?

    This what I tried out using securityDefinitions and a self-defined variable for the roles, but that information (x-role-names) didn't get copied over into the documentation when I ran it through swagger2markup or using swagger-ui.

        "securityDefinitions": {
    "baseUserSecurity": {
          "type": "basic",
          "x-role-names": "test"
       }
    }

    What's the best way to document the role and permission information per endpoint?

  • whatsTheDiff
    whatsTheDiff over 7 years
    I see description in the spec but don't see synopsis. Which version is it available in? Either way, unfortunately, those only seem to get displayed in the generic Security block and not with each API call which would be more ideal. It looks like defining the scope with basic is allowed with swagger2markup but is against the spec, so I can "hack" that to get it to be more like I would hope - but still not ideal.
  • MikeRalphson
    MikeRalphson over 7 years
    Sorry, I was thinking of 'summary' not 'synopsis', this would be at the operation level though, not securityDefinition.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to document OData endpoints (swagger, swashbuckle, other)?
Following swagger specifications, how can I define json of nested objects to yaml?
Multi-level (nested) tagging in Swagger UI
Swagger UI does not list any of the controller/end points though I am able to see the json under v2/api-docs endpoint
How do you define an array of different examples in a Swagger spec?
How to provide example value to a Response Body of content-type: text/html in Swagger (to test with dredd)
configure swagger-ui with maven
@ApiResponses and @ApiResponses in swagger
CORS issue on Swagger UI
How to change Swagger-ui URL prefix?