Connexion: openapi3/jwt Example broken

Did you call the "/auth/{user_id}" endpoint in order to acquire your jwt token first?

e.g. on localhost: http://127.0.0.1:8080/auth/12

(Hint: If you install swagger-ui support for connexion with _pip install connexion[swagger-ui]_ you can use http://127.0.0.1:8080/ui/ as described in the readme of the example.)

yes, I followed the instruction in the README.rst [1] using the swagger-ui

• Now open your browser and go to http://localhost:8080/ui/ to see the Swagger UI.
• Use endpoint /auth to generate JWT token, copy it,
• then click Authorize button and paste the token.
• Now you can use endpoint /secret to check autentication.

Is it working for you? If so, please share the userid you have used.

I used the userid "12" (int) from the example. [1]. Anyhow I wonder how it should work out. The secret API is configured with this auth information

security:
  - jwt: ['secret']

How does the userid map to the "secret"? I also changed the userid to be a string and provided "secret" as username, but that didn't do the trick either. Maybe I'm missunderstanding the concept of the jwt integration in connexion but unfortunately the docs doesn't tell me more. So any help is appreciated.

Thanks!

[1] https://github.com/zalando/connexion/blob/master/examples/openapi3/jwt/README.rst

With version 2.2.0 and 2.3.0 of connexion it is working fine.

When trying to reproduce your problem I recognized that "connexion>=2.0.0rc3" from the requirements.txt of the example installs version "2018.0.dev1" instead the newest one. The name convention got broken by this pre-release. Replace the line in the requrements.txt with e.g. "connexion=2.3.0" and you should be fine.

edit: Seems like the main problem is that in the example a release candidate instead of a regular release is used. Normally pre-releases are excluded according to: https://www.python.org/dev/peps/pep-0440/#handling-of-pre-releases

Hi, thanks! Yes with version 2.2.0 it's working - I should have realized the weird version number... sorry for that. I think updating the requirements file will fix the issue.

But can you tell me what the "secret" in this definition does?

security:
  - jwt: ['secret']

I changed it to "foo" and later to "[]" but still everything worked. Is there a way to use scoped JWTs? E.g. only JWTs that contain a certain "secret" are allowed to use that particular API.

I checked it out, but it seems that the scope is not checked in any way. It does not matter what you put into your JWT payload "scope".

Is there any way in which we can get the scopes ("secret" in this case) inside an endpoint? My idea is based on the scope defined in the swagger file I need to change the behavior of my end point logic.

Stumbled upon this issue needing to use scopes with the JWT scheme for RBAC permissions using Auth0 as an authz provider. A way to configure scopes per endpoint _even for JWT_ would be helpful. Right now, I have a scope validation function within every controller endpoint.