[BUG] OpenAPI UI doesn't apply Authorization header present in the spec about openapi3 HOT 4 CLOSED

It's "bug" in the openapi spec: https://spec.openapis.org/oas/v3.1.0.html#fixed-fields-9

If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored.

For authentication you should use security section instead

from openapi3.

oh, thanks for pointing at the spec section! Let me verify that it works as intended once I add it, and then I'll close the issue.

from openapi3.

Hi,

Thanks for the report. As @stevladimir mentioned, Authorization should be handled through corresponding mechanism in OpenAPI, not with per-path headers. Look for "security schemes" and "security requirements" in the spec and in this package.

I will close this as there is nothing I can do on the library's part. If you run into problems with defining security schemes, please open a new issue.

from openapi3.

@maksbotan Hi!

I'd like to clarify whether defining security schemes for OpenAPI values is just enought to enable authorization headers in UI requests to respective endpoints, or is it also a requirement to remove existing "Authorization" headers from endpoint definitions?

I've got this security schema applied:

openApiSpec :: OpenApi
openApiSpec =
    -- Combine 'Public' spec
    toOpenApi publicSpec
    <>
    -- with JWT 'Protected' spec so that
    (toOpenApi protectedSpec
            -- there's a common components section that defines 'myJWT' security scheme under "jwtToken" name
            & components . securitySchemes . at "jwtToken" ?~ myJWT
            -- and all operations in this part of the spec are required to use "jwtToken" security scheme
            & allOperations . security .~ [SecurityRequirement $ mempty & at "jwtToken" ?~ []]
            -- and that implies that the endpoints could return 401 alongside normal responses defined elsewhere
            & canReturn401Response
    ) where
        myJWT                = SecurityScheme (SecuritySchemeHttp . HttpSchemeBearer . Just $ "jwt")
                                              (Just "jwt token")
        canReturn401Response = setResponse 401 (pure $ mempty & description .~ "Authorization failed")

I can see that the corresponding OpenAPI spec has properly associated the common securitySchemes section with endpoints' security sections, yet the interactive UI is still not sending the Authorization header when I fill it with a Bearer <token> value.

Is that because my endpoints are still using Servant's Header "Authorization" JwtValue combinators alongside OpenApi security definitions?

from openapi3.