github.com/circl-dev/go-swagger@v0.31.0/examples/composed-auth/swagger.yml (about) 1 --- 2 3 swagger: '2.0' 4 info: 5 title: Composing authorizations 6 description: | 7 This sample API demonstrates how to compose several authentication schemes 8 and configure complex security requirements for your operations. 9 10 This API simulates a very simple market place with customers and resellers 11 of items. 12 13 Personas: 14 - as a first time user, I want to see all items on sales 15 - as a registered customer, I want to post orders for items and 16 consult my past orders 17 - as a registered reseller, I want to see all pending orders on the items 18 I am selling on the market place 19 - as a reseller managing my own inventories, I want to post replenishment orders for the items I provide 20 - as a register user, I want to consult my personal account infos 21 22 The situation we defined on the authentication side is as follows: 23 - every known user is authenticated using a basic token 24 - resellers are authenticated using API keys - we let the option to authenticate using a header or query param 25 - any registered user (customer or reseller) will add a signed JWT to access more API endpoints 26 27 Obviously, there are several ways to achieve the same result. We just wanted to demonstrate here how 28 security requirements may compose several schemes. 29 30 Note that we used the "OAuth2" declaration here but don't implement a real 31 OAuth2 workflow: our intend here is just to be able to extract scopes from a passed JWT token (the 32 only way to manipulate scoped authorizers with Swagger 2.0 is to declare them with type "oauth2"). 33 34 version: '0.0.1' 35 consumes: 36 - application/json 37 produces: 38 - application/json 39 schemes: 40 - http # https in a normal setup 41 basePath: /api 42 securityDefinitions: 43 isRegistered: 44 # This scheme uses the header: "Authorization: Basic {base64 encoded string defined by username:password}" 45 # Scopes are not supported with this type of authorization. 46 type: basic 47 isReseller: 48 # This scheme uses the header: "X-Custom-Key: {base64 encoded string}" 49 # Scopes are not supported with this type of authorization. 50 type: apiKey 51 in: header 52 name: X-Custom-Key 53 isResellerQuery: 54 # This scheme uses the query parameter "CustomKeyAsQuery" 55 # Scopes are not supported with this type of authorization. 56 type: apiKey 57 in: query 58 name: CustomKeyAsQuery 59 hasRole: 60 # This scheme uses the header: "Authorization: Bearer {base64 encoded string representing a JWT}" 61 # Alternatively, the query param: "access_token" may be used. 62 # 63 # In our scenario, we must use the query param version in order to avoid 64 # passing several headers with key 'Authorization' 65 type: oauth2 66 # The flow and URLs in spec are for documentary purpose: go-swagger does not implement OAuth workflows 67 flow: accessCode 68 authorizationUrl: 'https://dummy.oauth.net/auth' 69 tokenUrl: 'https://dumy.oauth.net/token' 70 # Required scopes are passed by the runtime to the authorizer 71 scopes: 72 customer: scope of registered customers 73 inventoryManager: scope of resellers acting as inventory managers 74 75 # Default Security requirements for all operations 76 security: 77 - isRegistered: [] 78 79 paths: 80 /items: 81 get: 82 summary: items on sale 83 operationId: GetItems 84 description: | 85 Everybody should be able to access this operation 86 security: [] 87 responses: &multipleOrdersResponse 88 '200': 89 $ref: "#/responses/multipleItems" 90 default: 91 $ref: "#/responses/otherError" 92 93 /account: 94 get: 95 summary: registered user account 96 operationId: GetAccount 97 description: | 98 Every registered user should be able to access this operation 99 security: 100 - isRegistered: [] 101 responses: 102 '200': 103 description: registered user personal account infos 104 schema: 105 type: object 106 additionalProperties: true 107 '401': 108 $ref: "#/responses/unauthorized" 109 default: 110 $ref: "#/responses/otherError" 111 112 /order/{orderID}: 113 get: 114 summary: retrieves an order 115 operationId: GetOrder 116 description: | 117 Only registered customers should be able to retrieve orders 118 security: 119 - isRegistered: [] 120 hasRole: [ customer ] 121 parameters: &singleOrderParam 122 - name: orderID 123 in: path 124 type: string 125 required: true 126 responses: &singleOrderResponse 127 '200': 128 $ref: "#/responses/singleOrder" 129 '401': 130 $ref: "#/responses/unauthorized" 131 '403': 132 $ref: "#/responses/forbidden" 133 default: 134 $ref: "#/responses/otherError" 135 /order/add: 136 post: 137 summary: post a new order 138 operationId: AddOrder 139 description: | 140 Registered customers should be able to add purchase orders. 141 Registered inventory managers should be able to add replenishment orders. 142 143 security: 144 - isRegistered: [] 145 hasRole: [ customer ] 146 - isReseller: [] 147 hasRole: [ inventoryManager ] 148 - isResellerQuery: [] 149 hasRole: [ inventoryManager ] 150 parameters: 151 - name: order 152 in: body 153 schema: 154 $ref: "#/definitions/Order" 155 required: true 156 responses: 157 '200': 158 description: empty response 159 '401': 160 $ref: "#/responses/unauthorized" 161 '403': 162 $ref: "#/responses/forbidden" 163 default: 164 $ref: "#/responses/otherError" 165 166 /orders/{itemID}: 167 get: 168 summary: retrieves all orders for an item 169 operationId: GetOrdersForItem 170 description: | 171 Only registered resellers should be able to search orders for an item 172 security: 173 - isReseller: [] 174 - isResellerQuery: [] 175 parameters: &singleItemParam 176 - name: itemID 177 in: path 178 type: string 179 required: true 180 responses: &multipleOrdersResponse 181 '200': 182 $ref: "#/responses/multipleOrders" 183 '401': 184 $ref: "#/responses/unauthorized" 185 '403': 186 $ref: "#/responses/forbidden" 187 default: 188 $ref: "#/responses/otherError" 189 190 definitions: 191 Order: 192 type: object 193 required: [ orderID ] 194 properties: 195 orderID: 196 type: string 197 orderLines: 198 type: array 199 items: 200 x-go-name: orderLine 201 type: object 202 required: [quantity, purchasedItem] 203 properties: 204 quantity: 205 type: integer 206 format: int32 207 minimum: 1 208 purchasedItem: 209 $ref: "#/definitions/Item" 210 211 Item: 212 type: string 213 214 Error: 215 type: object 216 required: 217 - message 218 properties: 219 code: 220 type: integer 221 format: int64 222 message: 223 type: string 224 225 principal: 226 type: object 227 properties: 228 name: 229 type: string 230 roles: 231 type: array 232 items: 233 type: string 234 235 responses: 236 unauthorized: 237 description: unauthorized access for a lack of authentication 238 forbidden: 239 description: forbidden access for a lack of sufficient privileges 240 otherError: 241 description: other error response 242 schema: 243 $ref: "#/definitions/Error" 244 singleOrder: 245 description: content of an order 246 schema: 247 $ref: "#/definitions/Order" 248 multipleOrders: 249 description: multiple orders 250 schema: 251 type: array 252 items: 253 $ref: "#/definitions/Order" 254 singleItem: 255 description: single item 256 schema: 257 type: string 258 multipleItems: 259 description: multiple items 260 schema: 261 type: array 262 items: 263 $ref: "#/definitions/Item" 264