Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AllowAnonymousAttribute Should Set Security To Optional If AuthorizationAttribute also present #245

Open
EmperorArthur opened this issue May 6, 2024 · 1 comment
Assignees

Comments

@EmperorArthur
Copy link

First Issue to this repo, so I hope I have included the needed information for my proposal. I am unsure of corporate policy for contributing to libraries like this, or I would send a PR.

Issue

The OpenAPI V3 spec supports optional authentication. Meaning that authentication can happen, but is not required. Unfortunately, there is no "out of the box" implementation, of this feature.

Related Issue

A custom class cannot be created and fed to SecurityRequirementsOperationFilter<T> if the endpoint has an "AllowAnonymousAttribute", since that stops all further processing.

Ideal Proposal

If a class has both and "AllowAnonymousAttribute":

  • Add the security scheme as currently done.
  • Add an empty security scheme.
  • If includeUnauthorizedAndForbiddenResponses is true, only add the "Forbidden" response.

Alternate Proposal

Use a constructor parameter to determine if the "AllowAnonymousAttribute" check runs. Same as how includeUnauthorizedAndForbiddenResponses works now.

@mattfrear mattfrear self-assigned this May 7, 2024
@mattfrear
Copy link
Owner

Hello
Sorry for the slow reply. I wouldn't want to change the existing behaviour, so your alternate proposal to supply a constructor parameter sounds like the correct approach. It should be a small change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants