OpenAPI Spec using JWT Bearer authentication is re...

ztibbitts · 05-14-2019 09:34 AM

I have described the requirement of a Authorization header with a Bearer Token, and inside of the editor, in the live preview, I can click the Authorize button and I get this dialog, as I would expect:

However, in the Developer Portal, it tries to use Http Basic Auth:

How can I get the Developer Portal to allow the user to input a Bearer token for their Authorization?

cjking

Unfortunately this is a known issue.

The best workaround available is to use the API key option in the Authentication header, and manually add the "Bearer" text to the front. The OpenAPI spec setup required for this is:

components:
  securitySchemes:
    AuthHeader:        
      type: apiKey
      in: header       
      name: Authorization

sandr

This approach doesn't work, actually. If you see the generated curl or HTTP example in SmartDocs (dev portal), you'll see that the token isn't added to the "Authorization" header.

The OpenAPI specification specifically says that the apiKey type is added to the request URL. Example: https://some-api.com/endpoint?apiKey=laksjdfklasjlfkjdsla

The only valid (OpenAPI-compatible) way to add JWT as "Bearer {token}" is by using the following configuration (which Apigee's Dev Portal doesn't support, unfortunately):

paths:
  /path:
    security:
      - bearerAuth: []

components:
  bearerAuth:
    type: http
    scheme: bearer
    bearerFormat: JWT

OpenAPI Spec using JWT Bearer authentication is reflected in Editor, but Developer Portal shows UI for HTTP Basic Auth