fixes OpenAPI spec security definitions

SpiceDB does not use ApiKeyAuth authentication, but Bearer authentication, where the type of bearer token is an API Key. However, the OpenAPI v2 Spec, which is the one supported by grpc-gateway, does not support bearer authentication: https://swagger.io/docs/specification/v2_0/authentication/authentication/ Still, the grpc-gateway maintainers indicated in grpc-ecosystem/grpc-gateway#1089 that bearer is actually supported in grpc-gateway generator. This was reported in authzed/authzed-go#255, indicating that folks generating code out of the OpenAPI definition will have errors because the generated error did not properly provide the preshared key with the expected `Authorization: Bearer <psk>` format. I'm not 100% sure if this is a legit intermediate state between v2 and v3 we can leverage, but the current generated code is clearly broken anyway. See https://swagger.io/docs/specification/v3_0/authentication/api-keys/ See https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/
authzed · Nov 11, 2024 · d7c3c64 · d7c3c64
1 parent 8a6892e
commit d7c3c64
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/authzed/api/v1/openapi.proto b/authzed/api/v1/openapi.proto
@@ -32,13 +32,18 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
 	produces: "application/json";
 	security_definitions: {
 		security: {
-			key: "ApiKeyAuth";
+			key: "bearer";
 			value: {
 				type: TYPE_API_KEY;
 				in: IN_HEADER;
 				name: "Authorization";
+				description: "SpiceDB preshared-key, prefixed by Bearer: Bearer <preshared-key>"
 			}
 		}
 	}
+	security: {
+		security_requirement: {
+			key: "bearer"
+		}
+	}
 };
-