Connexion: Is it possible to disable security?

You should be able to add empty security definitions to any paths that you want to have no security for. You can just include that in your API Spec. See here

Yeah, but the thing is I need the definitions to be there because my plugin leverages them.

I was wondering if there isn't a flag to just turn off security in connexion.

I was going through the code and it seems there is such a thing.

Options passed to the connexion App seemed a good place to put this in.

I really don't want to have code in my application that mocks stuff in the connexion code, it's way too hacky.

Let me just add that I don't seem to be able to use the JWT addition on connexion as it seems to be only supported by OpenAPI 3.

I'm still on swagger 2, so I really need to use my custom plugin.

Actually, scratch that. It seems there is support for JWT using swagger 2.0 as well, via vendor extensions.

Oh, I see, I misunderstood your original question. My bad!

@gustavooferreira I don't think there's a way to disable security that you've explicitly enabled in the spec.
Can you change your before_request decorator to be called as the x-tokenInfoFunc?

I could potentially do that but after having a look at how connexion implements JWT tokens, it won't help me much, because my auth method is actually based off Oauth and I use the JWT token to pass the auth info around (as most people do).

I'm still on swagger 2.0 and the way connexion implements this for that version is by specifying an AppKey which is not what I'm doing, so if I were to set it up like that I would lose the information (from the spec) about what is the OAuth server URL (more specifically the TokenURL) and also the scope list.

I'll try to monkey patch the function that does the auth in connexion with my own and try to nullify the auth parsing bit, quite a bit too hacky, but it seems I have no other options, unfortunately.

Yes an option to disable security and still have the openapi security definitions in place would be awesome.
There are just too many options to handle security (and even allow multiple security methods), that would be. feasible to cover within connexion.
Maybe connexion security could be just a built-in option, and if not. wanted you are free to use your own without sacrificing the openapi definitions.

I would like to see this option too. I need to implement a security system not supported by Connexion (API key consisting of two headers, API-KEY and API-SECRET, see https://github.com/zalando/connexion/issues/586) for my application. Right now I can't specify this in my API definition, as Connexion won't start due to an 'Error in security definitions'.

My use case for wanting this as well: authentication is handled before the request even touches the app. I don't want proper security implementation to be the responsibility of the API itself, I want that to be a security control in front of the entire app stack