在为 Swagger 设置案卷时,我遇到了在安全参考中使用 AuthorizationScope 的问题或误解。
我希望 SecurityScheme 中的 AuthorizationScope 将由 SecurityReference 强制执行,但实际上它被忽略了——这意味着从使用下面发布的 SecurityScheme 和 SecurityReference 的文档中调用我的 API 没有问题:
- SecurityScheme 范围=openid
- 安全参考范围=随便
案卷
public static Docket createOauth2Docket(final ApiInfo apiInfo, final String groupName, final String basePackage, final String urlPrefix,
final TypeResolver typeResolver) {
return new Docket(DocumentationType.OAS_30)
.apiInfo(apiInfo)
.securityContexts(Collections.singletonList(oauth2SecurityContext()))
.securitySchemes(Collections.singletonList(oauth2SecurityScheme()))
.groupName(groupName)
.useDefaultResponseMessages(false)
.globalResponses(HttpMethod.GET, getDefaultResponses())
.globalResponses(HttpMethod.POST, getDefaultResponses())
.globalResponses(HttpMethod.PUT, getDefaultResponses())
.globalResponses(HttpMethod.PATCH, getDefaultResponses())
.globalResponses(HttpMethod.DELETE, getDefaultResponses())
.directModelSubstitute(LocalDate.class, String.class)
.directModelSubstitute(LocalTime.class, String.class)
.directModelSubstitute(LocalDateTime.class, String.class)
.directModelSubstitute(Instant.class, String.class)
.directModelSubstitute(OffsetTime.class, String.class)
.directModelSubstitute(OffsetDateTime.class, String.class)
.directModelSubstitute(ZonedDateTime.class, String.class)
.additionalModels(typeResolver.resolve(ErrorInfo.class))
.genericModelSubstitutes(DeferredResult.class)
.select()
.apis(RequestHandlerSelectors.basePackage(basePackage))
.paths(PathSelectors.ant(urlPrefix + "/**"))
.build();
}
案卷的安全设置
private static SecurityScheme oauth2SecurityScheme() {
return OAuth2Scheme.OAUTH2_PASSWORD_FLOW_BUILDER
.tokenUrl("https://****/protocol/openid-connect/token")
.name("OAUTH2")
.scopes(Collections.singletonList(new AuthorizationScope("openid", "accessEverything")))
.build();
}
private static SecurityContext oauth2SecurityContext() {
return SecurityContext.builder().securityReferences(Collections.singletonList(oauth2SecurityReference())).build();
}
private static SecurityReference oauth2SecurityReference() {
AuthorizationScope[] authScopes = new AuthorizationScope[1];
authScopes[0] = new AuthorizationScopeBuilder()
.scope("whatever")
.description("accessEverything")
.build();
return SecurityReference.builder()
.reference("OAUTH2")
.scopes(authScopes)
.build();
}
大摇大摆的一切看起来都很好。可以选择范围并通过单击授权按钮从 SSO 获得令牌并正确发送到标头中的授权对象,前缀 Bearer 和 API 返回 200。由于范围值不同,我预计会有一些 40X 未经授权的响应。
您能否建议为什么会发生这种行为或我的期望有什么问题?