Allow for scopes when using ApiKeyAuth to support AWS API Gateway & Cognito

[thegagne]

Clear and concise description of the problem

Goal: Create a way to use AWS API Gateway with Cognito as an authorizer, and define scopes.

I believe this is currently not possible as you cannot pass in scopes with ApiKeyAuth which is what AWS expects.

Something like

@extension("x-amazon-apigateway-authtype", "cognito_user_pools")
@extension("x-amazon-apigateway-authorizer", {
  type: "cognito_user_pools",
  providerARNs: ["arn:<redacted>"],
})
model CognitoAuth<Scopes> is ApiKeyAuth<ApiKeyLocation.header, "Authorization", Scopes>;


@post
@extension("x-amazon-apigateway-integration", {
  type: "http_proxy",
  httpMethod: "post",
  uri: "http://<redacted>",
  connectionId: vpcLinkId,
  connectionType: "VPC_LINK",
})
@useAuth(CognitoAuth<Scopes>)
post<CreateUser, User, VpcLinkId, ["user/:write"]>(CreateUser): {
  @statusCode statusCode: 201;
  @body _: User;
};

Example output:

   post:
      ...
      security:
      - CognitoAuth:
        - "users/:write"
      x-amazon-apigateway-integration:
        connectionId: "<redacted>"
        httpMethod: "GET"
        uri: "<redacted>"
        responses:
          default:
            statusCode: "201"
        connectionType: "VPC_LINK"
 ...
  securitySchemes:
    CognitoAuth:
      type: "apiKey"
      name: "Authorization"
      in: "header"
      x-amazon-apigateway-authtype: "cognito_user_pools"
      x-amazon-apigateway-authorizer:
        providerARNs:
        - "arn:<redacted>
        type: "cognito_user_pools"

See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

Checklist

• Follow our Code of Conduct
• Read the docs.
• Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

[thegagne]

I got it somewhat working with the following changes:

@typespec/http/dist/src/types.d.ts
23c23
< export type HttpAuth = BasicAuth | BearerAuth | ApiKeyAuth<ApiKeyLocation, string> | Oauth2Auth<OAuth2Flow[]> | OpenIDConnectAuth | NoAuth;
---
> export type HttpAuth = BasicAuth | BearerAuth | ApiKeyAuth<ApiKeyLocation, string, string[]> | Oauth2Auth<OAuth2Flow[]> | OpenIDConnectAuth | NoAuth;
84a85
>     scopes: OAuth2Scope[];

@typespec/openapi3/dist/src/openapi.js
1251a1252
>                 console.log(httpAuthRef);
1257a1259,1263
>                         continue;
>                     case "any":
>                         if (httpAuthRef.auth.type === "apiKey") {
>                             securityOption[httpAuthRef.auth.id] = httpAuthRef.auth.defaultScopes;
>                         }

@typespec/http/lib/auth.tsp
92c92
< model ApiKeyAuth<Location extends ApiKeyLocation, Name extends string> {
---
> model ApiKeyAuth<Location extends ApiKeyLocation, Name extends string, Scopes extends string[] = []> {
100a101,103
> 
>   @doc("Scopes of every flow. Overridden by scope definitions in specific flows")
>   defaultScopes: Scopes;

I did not check that this didn't break existing usage of ApiKeyAuth or anything beyond just compiling, visually checking it, and trying to use the import feature on API Gateway, which seemed to work.

Leaving this here in case someone else picks it up.