role based token authentication with apikey security in openapi swagger connexion

Question

Describing the problem

I was struggeling the last few days to figure out how to use apikey security in openapi, swagger, connexion for role based token authentication. The following OpenAPI 3.0 endpoint definition:

/lab/samples/list:
    get:
      tags:
      - lab
      summary: get a list of all registered samples
      operationId: list_samples
      responses:
        "200":
          description: successfully returned all available samples and their notification status
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Sample-For-Lab'
                x-content-type: application/json
        "400":
          description: invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/inline_response'
      security:
      - bearerAuth: ['labuser']

with the corresponding security definition

securitySchemes:
    bearerAuth:
      type: apiKey
      name: Authorization
      in: header
      x-apikeyInfoFunc: swagger_server.controllers.authorization_controller.check_bearerAuth

So far so good. I built the corresponding server stubs using swagger-codegen, which follow the connexion security model and provide two fields api_key i.e. the bearer token and 'required_scopes' i.e. which should contain 'labuser'. When accessing the endpoint, the controller function is called:

def check_adminuserAuth(api_key, required_scopes):
    return {'sample_key' : 'sample_value}

While the bearer token is properly passed, required_scopes is None. So there's no way of actually validating if credentials and permissions shown in the provided token actually match the endpoint's required scope of labuser in the authorization controller. I thought about handling validation in the called endpoints list_systemusers() but the token is no passed on by connexion.

Not supported in OpenAPI 3.0

After doing some digging, I found out that OpenAPI 3.0 provides apiKey validation on a global API level (i.e. authenticated or not), but does not offer support for individual scopes per endpoint. If you want individual scopes, you need to switch to OAuth security. However support for security scopes through apiKey security is coming in OpenAPI 3.1

Answer 1

Workaround

So for now the only way of making bearer token security with individual scopes work, is to actually define a security scheme for every scope e.g.

securitySchemes:
    adminuserAuth:
      type: apiKey
      description: Provide your bearer token in the format **Bearer <token>**
      name: Authorization
      in: header
      x-apikeyInfoFunc: swagger_server.controllers.authorization_controller.check_adminuserAuth
    statsuserAuth:
      type: apiKey
      description: Provide your bearer token in the format **Bearer <token>**
      name: Authorization
      in: header
      x-apikeyInfoFunc: swagger_server.controllers.authorization_controller.check_statsuserAuth
    labuserAuth:
      type: apiKey
      description: Provide your bearer token in the format **Bearer <token>** 
      name: Authorization
      in: header
      x-apikeyInfoFunc: swagger_server.controllers.authorization_controller.check_labuserAuth

and on the path definition then add your required security authentication schemes

security:
- labuserAuth: []
- adminuserAuth: []
x-openapi-router-controller: swagger_server.controllers.lab_controller

Now I know by which authorization controller method is called the required scope a user needs to show and therefore can validate it against the ones shown in the token.