Authorization & securitySchemes¶

OAS allows to specify authorization policies in the spec, under components.securitySchemes.

Between supported security schemes we have:

  • oauth and oidc
  • basic auth
  • JWT
  • mutualTLS ( in OAS 3.1 )

When passing credentials in HTTP headers or payload you MUST use TLS

connexion can reference a python function via x-basicInfoFunc. Authenticated operations gets user informations via the user parameter.

OAS3: basic auth¶

Here we are defining the myBasicAuth security scheme.

components:
 securitySchemes:
   myBasicAuth:
     type: http
     scheme: basic
     x-basicInfoFunc: security.my_auth

We can then reference myBasicAuth in one or more paths

paths:
  /echo
    get:
      security:
      - myBasicAuth: []
      ...
      operationId: api.get_echo
      ...

OAS3 Exercise: add securitySchemes¶

Modify the OAS3 spec in ex-06-01-auth.yaml and:

  • add a myBasicAuth security schemes like the above;
  • reference myBasicAuth in get /echo path;
  • validate the spec in your swagger editor and check what changed in the swagger-ui

Implement my_auth¶

Implement the my_auth function in security.py so that:

  • when username == password the user is authenticated

Use the cell below to implement it,

In [ ]:
# Test here the my_auth implementation.
def my_auth(username, password,required_scopes=None):
    """An dummy authentication function.
       :params: username, the username
       :params: password, the password
       :params: scopes, the scope
       :returns: `{"sub": username, "scope": ""}` on success,
                 None on failure
    """
    raise NotImplementedError

Add user support in get_echo¶

Operations like get_echo gets user informations via the user param.

Modify get_echo in api.py such that:

  • unauthenticated replies returns a 401 http status
  • the authenticated reply contains user informations {"timestamp": "2019-01-01T21:04:00Z", "user": "jon"}
In [ ]:
def get_echo(tz, user=None):
    """
        :param: tz, the timezone
        :param: user, the authenticated user passed by `connexion`
    """
    raise NotImplementedError

Test the my_auth implementation¶

Run the spec in the terminal with the usual

In [ ]:
connexion run /code/notebooks/oas3/ex-06-01-auth-ok.yaml
In [ ]:
render_markdown(
f'''

Play a bit with
[Swagger UI]({api_server_url("ui")})

''')
In [ ]:
# Try to curl some requests!
!curl http://localhost:5000/datetime/v1/echo -kv

Bearer token & JWT Security¶

Bearer tokens are supported:

  • in OAS via the scheme: bearer
  • in connexion via the x-bearerInfoFunc
components:
  securitySchemes:
    jwt:
      type: http
      scheme: bearer
      bearerFormat: JWT
      x-bearerInfoFunc: security.decode_token

Once you send the header

Authorization: Bearer token

the token string will be passed to a function like the following

NOTE: the bearerFormat is a free identifier of the token format and the associated syntax may not be enforced by the spec.

In [ ]:
def decode_token(token):
    """
        :param: token, a generic token
        :return: a json object compliant with RFC7662 OAUTH2
    """

    if token_is_valid:
        return {
             'iss': 'http://api.example.com',
             'iat': 1561296569,
             'exp': 1561296571,
             'sub': 'ioggstream',
             'scope': ['local']
            }

You can learn more on Connexion Security on:

  • https://github.com/zalando/connexion/blob/master/docs/security.rst

A complete JWT example is here