Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-3370

Provide OpenAPI 2.0 security definitions in ActiveDocs

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 2.2 CR2
    • System
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      Currently the OpenAPI (Swagger) document published via ActiveDocs does not include securityDefinitions section and in order for the exposed API to used in Fuse Online as Custom API client connector that information needs to be present otherwise no authentication will be provided to the APIcast and access will be denied.

      We need support for securityDefinitions for the following cases.

      API Key authentication

      I've noticed that by default HTTP parameters are used for API Key authentication and that the OpenAPI document in ActiveDocs declares the API Key parameter as one of the request parameters of an operation. Whereas in Fuse Online we rely on securityDefinitions to distinguish between operation parameters that are available in the integration editor and the Atlasmap and connection parameters that are defined outside integration.

      Here are examples of API Key authentication securityDefinitions:

      1. API Key authentication provided in user-key HTTP header: 
        securityDefinitions:
  user-key:
    type: apiKey
    name: user-key
    in: header
      2. API Key authentication provided in user_key query parameter: 
        securityDefinitions:
  user-key:
    type: apiKey
    name: user_key
    in: query

      OAuth authentication

      In testing OAuth token wasn’t accepted by 3scale (I got HTTP/1.1 403 Forbidden with Authentication failed in the body), further testing is required to make sure the OAuth client in Fuse Online and 3scale OAuth authentication (configured with RH SSO 7.2) perform correctly.

      In the securityDefinitions of the OpenAPI 2.0 document we need the following:

      securityDefinitions:
  oauth2:
    type: oauth2
    flow: accessCode
    authorizationUrl: 'https://rhsso-hostname/auth/realms/master/protocol/openid-connect/auth'
    tokenUrl: 'https://rhsso-hostname/auth/realms/master/protocol/openid-connect/token'
    scopes: {...}

      The URLs are to the best of my knowledge correct for the OAuth usage with RH SSO and 3scale.

      By default Fuse Online will request all OAuth scopes listed in the security definition in the OAuth exchange.

      HTTP Basic authentication

      Not supported by 3scale to the best of my knowledge, it is supported in Fuse Online. To specify HTTP Basic authentication is used to protect the service following securtyDefinitions can be provided:

      securityDefinitions:
  username_password:
    type: "basic"

              Unassigned Unassigned
              zregvart@redhat.com Zoran Regvart (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: