Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thoughts about auth strategies #32

Open
calfzhou opened this issue Mar 5, 2015 · 16 comments
Open

thoughts about auth strategies #32

calfzhou opened this issue Mar 5, 2015 · 16 comments

Comments

@calfzhou
Copy link
Contributor

calfzhou commented Mar 5, 2015

Current strategies (default, protected, and swagger) are not very handy to use. I guess that swagger could be an additional configuration, injecting swagger specific syntax. And for the protected, maybe there could be a class method such as oauth_all (see the guard! and guard_all! in this demo app) which could protect the entire class.
@antek-drzewiecki
Copy link
Owner

Good thinking. This would be a great improvement. This is actually what the protected strategy is doing.
The reason why strategies were introduced is because it was quite difficult to protect an entire class and inject swagger syntax on class loading. I'll be happy to accept PR's that lead into simplifying protection of the API.

@sunnyrjuneja
Copy link
Contributor

I'm in agreeance here. I'm happy to send a PR that moves swagger as a configuration option but I'm having a hard time understanding what the difference is between the swagger and default strategy. Do you mind explaining how the swagger strategy works @antek-drzewiecki?

@sunnyrjuneja
Copy link
Contributor

Also, @calfzhou, right now, the protected strategy automatically protects all endpoints (similar to guard_all! is doing now). Protecting an entire class is interesting idea. Maybe we can add that as a method on the default strategy.

@calfzhou
Copy link
Contributor Author

@whatasunnyday , agree with you.

The only problem for class level protection (guard_all!) is as @antek-drzewiecki mentioned, that you still need add an oauth2 SCOPES to each endpoint to inject swagger doc.

@sunnyrjuneja
Copy link
Contributor

@antek-drzewiecki sorry to ping you again but what is the difference between swagger strategy and default?

@antek-drzewiecki
Copy link
Owner

@whatasunnyday no problem. The difference is that the swagger strategy inject an authentication hash in the endpoint description that is compliant with grape-swagger. Grape-swagger will generate valid Swagger-UI json with the authentication options. Finally Swagger UI can parse the output and set authentication toggles. WineBouncer then uses this authentication hash to authenticate the scopes. Injecting the authentication hashes in the grape endpoints is the main purpose of the strategy. Currently the injection of the authentication hashes and and the authentication process are intertwined, but this could become separate methods.

To summarize, the swagger strategy is default strategy + authentication hash injection.

I hope you understand the goal of the swagger strategy now.

Here are some link to the spec link and the actual endpoint spec. Since the spec is hard to read. Ill give you an example how the hash should look like:

authorizations: {
  oauth2: [
    { 
     scope: "required_scope"
    }
  ]
}

Here are some more resources.
Swagger UI example: https://grape-doorkeeper.herokuapp.com/documentation
Raw output of the example as generated by swagger: https://grape-doorkeeper.herokuapp.com/api/v1/swagger_doc/me
Sample app on github: https://github.com/sethherr/grape-doorkeeper

@penso
Copy link
Contributor

penso commented Dec 24, 2015

@antek-drzewiecki Am I wrong thinking the documentation link should show the oauth calls in swagger? That's the reason I wanna use wine_bouncer and using the :swagger auth strategies I see none.

@antek-drzewiecki
Copy link
Owner

You are not wrong @penso. It should, but it relies on the grape-swagger gem to get the the authentication buttons in swagger. Adding the grape-swagger gem should fix it for you.

@penso
Copy link
Contributor

penso commented Dec 24, 2015

@antek-drzewiecki I actually have gem 'grape-swagger' but I still don't see it. I'll dig further then.

@antek-drzewiecki
Copy link
Owner

@penso is your endpoint also tagged with scopes like: oauth2 'public', 'write' ?
Then the endpoint json should really include the authorizations tag.

@penso
Copy link
Contributor

penso commented Dec 25, 2015

@antek-drzewiecki Sorry I meant I don't see any documentation about the /oauth/token endpoints to tell my users which endpoint they should be using for the oauth part. I wasn't talking about the authorization tag (which being honest, I haven't looked at yet). But I do see something on the right side of the API documentation listing my scope so I guess that part is working.

@antek-drzewiecki
Copy link
Owner

Merry Christmas! swagger-ui doesn't give much information regarding the OAuth end points to be honest. You will be probably ending writing your own documentation for that part. As far as I know swagger ui only documents your endpoints.

The scope part is indeed working then!

If I'm delayed while writing back I am on a small holiday ;)

Op 25 dec. 2015 om 13:19 heeft Fabien Penso [email protected] het volgende geschreven:

@antek-drzewiecki Sorry I meant I don't see any documentation about the /oauth/token endpoints to tell my users which endpoint they should be using for the oauth part. I wasn't talking about the authorization tag (which being honest, I haven't looked at yet). But I do see something on the right side of the API documentation listing my scope so I guess that part is working.


Reply to this email directly or view it on GitHub.

@penso
Copy link
Contributor

penso commented Dec 25, 2015

@antek-drzewiecki Don't you think wine_bouncer should generate the endpoint documentation so they appear in swagger? The only way for me to include those right now would probably to fake methods in Grape, as detailed in http://stackoverflow.com/questions/27661166/how-i-can-add-an-external-api-documentation-into-swagger-using-grape-swagger

@antek-drzewiecki
Copy link
Owner

Hi @penso , its a good idea though. Do you mean it should generate an separate swagger (json) documentation for the authentication endpoints?

Otherwise I still see some issues. Having a look at the OAuth2 spec the spec talks about an resource and an authentication server. The resource and authentication server can have different base urls. The resource can be api.website.xx and the authentication can be auth.website.xx. This will be really confusing when they are under one documentation scheme.

@penso
Copy link
Contributor

penso commented Dec 25, 2015

I think on many projects you actually have the same base url, so you probably would like to be able to do either (two swagger files, or one) depending on your usage. Having all within the same swagger is nice when you have the same base url.

@nlsrchtr nlsrchtr mentioned this issue Feb 20, 2018
Open
@echan00
Copy link

echan00 commented Apr 27, 2020

@penso did you find a solution? I'm also hoping for the oauth endpoints to be in swagger documentation.

If you've manually described them in your project, it would be great if you could share.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@penso @antek-drzewiecki @sunnyrjuneja @calfzhou @echan00