Openapi-specification: API Key authentication should allow scopes to be defined.

Created on 4 Oct 2017  路  8Comments  路  Source: OAI/OpenAPI-Specification

Today the scopes field on a security definition is only allowed on type=oauth
What is the reason to not allow scopes to be defined at an api key level?

For a good example of APIs that allow auth tokens to have scopes see GitHub's personal access tokens (https://github.com/settings/tokens/new)

Why can't I define an API and describe what scopes each endpoint needs/allows?

review
Source
picture jakeswenson
👍19

Most helpful comment

I don't see any reason why it couldn't be added to api key also. /cc @OAI/tdc

picture darrelmiller on 3 Nov 2017
👍11

All 8 comments

Is there a better place to file an issue so as to get some traction on this?

jakeswenson picture jakeswenson on 2 Nov 2017

I don't see any reason why it couldn't be added to api key also. /cc @OAI/tdc

darrelmiller picture darrelmiller on 3 Nov 2017
👍11

Please see https://github.com/OAI/OpenAPI-Specification/issues/1393#issuecomment-388711195 (feel free to comment on either issue).

MikeRalphson picture MikeRalphson on 14 May 2018

Any feedback on potential confusion in reusing the term scopes gratefully accepted...

MikeRalphson picture MikeRalphson on 4 Jun 2018

Any news here? I just spent a decent amount of time figuring out that there was no way to do this for anything but OAuth, which I don't use.

nickdnk picture nickdnk on 4 Dec 2018

See PR #1764 linked to above. We hope this will be included in OAS 3.1.0

MikeRalphson picture MikeRalphson on 4 Dec 2018
👍1

@MikeRalphson Just wanted to check in on the status of roles/scopes being added to non-OAuth security schemas. I see in the PR you referenced above the roles/scopes change was omitted https://github.com/OAI/OpenAPI-Specification/pull/1764#issuecomment-460964363

However in the big list of possibilities for 3.1, I see that the scopes on non-OAuth security schemes is checked off. Here is the PR for the change https://github.com/OAI/OpenAPI-Specification/pull/1829

Does this mean that the concept is approved for 3.1 but just needs refinement or is it potentially on the chopping block?

avanbrunt-cb picture avanbrunt-cb on 24 Jun 2019
👍6

This is included in the imminent 3.1 release.

MikeRalphson picture MikeRalphson on 8 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rossi-jeff picture rossi-jeff  路  5Comments
slinkydeveloper picture slinkydeveloper  路  4Comments
rocchisanijl picture rocchisanijl  路  5Comments
domenique picture domenique  路  4Comments
muhmud picture muhmud  路  5Comments