Akwatype allows to declare the security schemes as they are defined in Open API 3.0 (OAS 3.0)

The following security schemes are supported

  • HTTP authentication
    • basic
    • bearer
    • other
  • API keys
  • OAuth 2
  • OpenID

 

Security Schemes

SecuritySchemes are declared in the service description files.

A unique name is associated to each SecurityScheme to be able to reference it in the security requirement.

The following are examples of the declaration of the different security schemes :

securityScheme BasicAuthenticationSample {
    type: http
    scheme"basic"
}

securityScheme BearerSample {     type: http     scheme"bearer"     bearerFormat"JWT" }
securityScheme ApiKeySample {     type: apiKey     name"api_key"     in: header }
securityScheme OpenIdConnectSample {     type: openIdConnect     openIdConnectUrl"https://example.com/.well-known/openid-configuration" }
securityScheme ImplicitOAuth2Sample {     type: oauth2     flows {         implicit {             authorizationUrl"https://example.com/api/oauth/dialog"             scopes: [                 "write:persons""modify persons",                 "read:persons""read persons"             ]         }     } }
securityScheme MultiAuth2Sample {     type: oauth2     flows {         implicit {             authorizationUrl"https://example.com/api/oauth/dialog"             scopes: [                 "write:persons""modify persons",                 "read:persons""read persons"             ]         }         authorizationCode {             authorizationUrl"https://example.com/api/oauth/dialog"             tokenUrl"https://example.com/api/oauth/token",             scopes: [                 "write:persons""modify persons",                 "read:persons""read persons"             ]         }         password {             tokenUrl"https://example.com/api/oauth/token"             scopes: [                 "write:persons""modify persons",                 "read:persons""read persons"             ]         }         clientCredentials {             tokenUrl"https://example.com/api/oauth/token"             scopes: [                 "write:persons""modify persons",                 "read:persons""read persons"             ]         }     } }

We advise you to refer to the specification of the security schemes for more explanation on security scheme 

 

Security Requirement

 

The security requirement lists the required security schemes to execute an operation

A security requirement is composed of a security scheme or a list of security schemes, each of which may have a list of scopes if necessary.

security {
    MultiAuth2Sample:["read:persons","write:persons"]
}

 

As some REST APIs support multiple authentication types, the security statement allows you to combine multiple security schemes using logical OR and AND.

 

security { A, B }                           # A AND B
security { A | B }                          # A OR B

security { A, B | C, D }                    # (A AND B) OR (C AND D)

 

Applying the security requirements

Security requirements can be applied at the service, resource or route level.

The security requirements are propagated to the lower levels service -> resource -> route if no security has already been defined at these levels.

 

Example of service level security definition

The security defined at the service level applies to routes. :

  • person, persons and other
service ServiceWithSecuritySample{
    security {
        BasicAuthenticationSample |
        MultiAuth2Sample:["read:persons","write:persons"]
    }
    url:"MyService"
    expose Persons {
        url:"persons"
        route person{
            url:"id:String"
            response: PersonDTO
        }
        route persons{
            url:"id:String"
            response: [PersonDTO]
        }
    }
     expose OtherResources{
        route other{
            url:"id:String"
            response: [OtherResource] 
        }
    }
}

Note: If we do not want to secure a lower level (a route for example) while a security has been defined at a higher level (a service for example) it is possible to declare an empty security in order not to recover the security defined at the higher level

        route person{
            security { }
            url:"id:String"
            response: PersonDTO
        }

 

Example of resource level security definition

In this this example, security defined at the resource level applies to routes. :

  • person and persons

but not to the other route. 

service ServiceWithSecuritySample2{
    url:"MyService"
    expose Persons {
        security {
            BasicAuthenticationSample |
            MultiAuth2Sample:["read:persons","write:persons"]
        }
        url:"persons"
        route person{
            url:"id:String"
            response: PersonDTO
        }
        route persons{
            url:"id:String"
            response: [PersonDTO]
        }
    }
    expose OtherResources{
        route other{
            url:"id:String"
            response: [OtherResource] 
        }
    }
}

 

Example of route level security definition

In this example, the security defined at the route level only applies to routes. :

  • person

 

service ServiceWithSecuritySample3{
    url:"MyService"
    expose Persons {
        url:"persons"
        route person{
            security {
                BasicAuthenticationSample |
                MultiAuth2Sample:["read:persons","write:persons"]
            }
            url:"id:String"
            response: PersonDTO
        }
        route persons{
            url:"id:String"
            response: [PersonDTO]
        }
    }
    expose OtherResources{
        route otherResource{
            url:"id:String"
            response: [OtherResource] 
        }
    }
}