how to add Authorize security scheme on spec for passing x-api-key along with client id and secret in the request to get Access Token

jincyv
Participant II

Hi,

I want to add Authorize security scheme on spec for passing x-api-key along with client id and secret in the request to get Access Token.

I am using oauth2 and is passing client credentials under flows and token url. I want to pass an additional parameter,say x-api-key for the authorize button to generate access token from my proxy.

I am using this spec for creating authorize button in dev portal (Integrated portal) for try api.

Please provide me with a solution asap.

0 3 710
3 REPLIES 3

I'm not an expert on OpenAPI Spec, but I can refer to the specification. According to my understanding of OpenAPI Spec 3.0, there are 4 security schemes: "apiKey", "http", "oauth2", "openIdConnect".

Also in the spec it says the security requirement for an API can stipulate one or more schemes. That means you could require apikey and http, for example.

There is no scheme for "client id and secret", but http basic ought to suffice. So it's a matter of using apikey and http, and then documenting that the apikey header must be x-api-key and that the http basic header must encode the client id and secret.

one note: In Apigee the apikey is normally the same as the client id. Those are two different terms for the same data item; they're used at different times to indicate different purposes. So ... not sure but you should check this.

Please provide me with a solution asap.

Ha. Very funny.

Hi,

Thanks for the response. I tried clubbing 2 schemes as you have suggested. I tried using apiKey and http. I am attaching the screen shot of authorize form here.

9634-authorise-screen.png

I want one single authorize button in the form. I didn't understand how this will work with 2 authorize options. Please guide me if I am doing any mistake.

Hi,

I did not have a solution till this date. I checked in Open API spec 3 forum for a solution.

I want to use oauth2 as security policy for many reasons. The api key(the app key) verification policy will fail when I try to authorize from Integrated Portal using the security schema oauth in the spec.

I am using client_credentials as grant_type and want to pass key in header along with the client credentials(which is nothing but key+secret)

Any help will be appreciated as this is a critical issue and is impacting our business requirements