Skip to content
This repository has been archived by the owner on Feb 12, 2022. It is now read-only.

Unable to override custon SecurityScheme settings #816

Open
vbartusevicius opened this issue Apr 1, 2018 · 4 comments
Open

Unable to override custon SecurityScheme settings #816

vbartusevicius opened this issue Apr 1, 2018 · 4 comments
Labels
question waiting-for-response

Comments

@vbartusevicius
Copy link

vbartusevicius commented Apr 1, 2018
edited
Loading

Followed by https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#settings I created custom JWT security scheme and want to apply it with some overridden parameters as described in https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#applying-security-schemes

Take this RAML as example:

#%RAML 1.0
title: Secured API
securitySchemes:
  JWT:
    type: x-jwt
    describedBy:
      headers:
        Authorization:
          description: Valid Bearer jwt token
          type: string
          required: true
      responses:
        401:
          description: Bad or expired token.
        403:
          description: Access denied not valid privilage in resurces
    settings:
      issueUri: https://www.dropbox.com/1/oauth/authorize
      scope: [read, create]

/some-resource:
  get:
    securedBy:
      - JWT: { scope: [ read ] }
    description: Retrieve Some Resource

When parsed, it gives error:

[
  {
    "code": "UNKNOWN_NODE",
    "message": "Unknown node: 'scope'",
    "path": "api.raml",
    "range": {
      "start": {
        "line": 23,
        "column": 15,
        "position": 530
      },
      "end": {
        "line": 23,
        "column": 20,
        "position": 535
      }
    },
    "isWarning": false
  }
]

Cannot find anything wrong with RAML, it seems parser contradicts description given in specification that it is possible to override security scheme parameter.
@KonstantinSviridov
Copy link
Contributor

Hi @vbartusevicius !

In fact, the field name is scopes, not scope
https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md#oauth-20

Please, let us know if you still have problems with it.

Regards,
Konstantin

@KonstantinSviridov
Copy link
Contributor

Sorry, @vbartusevicius

I have not noticed at first, that you're trying to use scope setting within a custom security scheme.
Raml does not support settings for custom security schemes, so, you have to somehow reimplement your security scheme as Oauth 2.0.

@vbartusevicius
Copy link
Author

@KonstantinSviridov - I thought about it, but haven't found it clearly stated that settings is not supported in custom scheme - https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/#x-other

x- authentication methods do not have any specific settings defined, as the implementation of these methods is unknown as a standard to RAML.

It says there is no specific settings, by my understanding it means "no validation/use as you want".
If it's possible, could you explain it more clearly?

@postatum
Copy link
Contributor

Note that raml-js-parser-2 has been deprecated, the new official parser is webapi-parser. Feel free to attempt to reproduce this issue with webapi-parser and report any issue you may have on that repository.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question waiting-for-response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@postatum @KonstantinSviridov @vbartusevicius