java - OAuth2 SecurityReference AuhtorizationScope ignored in Swagger Docket configuration using SpringFox

Question

I'm facing problem or misunderstanding of using AuthorizationScope in Security Reference while setting up docket for Swagger.

I expect AuthorizationScope from SecurityScheme would be enforced by SecurityReference, but it is actually ignored - meaning there is no problem of calling my API from docket which uses SecurityScheme and SecurityReference posted below despite:

• SecurityScheme scope=openid
• SecurityReference scope=whatever

Docket

public static Docket createOauth2Docket(final ApiInfo apiInfo, final String groupName, final String basePackage, final String urlPrefix,
    final TypeResolver typeResolver) {
    return new Docket(DocumentationType.OAS_30)
        .apiInfo(apiInfo)
        .securityContexts(Collections.singletonList(oauth2SecurityContext()))
        .securitySchemes(Collections.singletonList(oauth2SecurityScheme()))
        .groupName(groupName)
        .useDefaultResponseMessages(false)
        .globalResponses(HttpMethod.GET, getDefaultResponses())
        .globalResponses(HttpMethod.POST, getDefaultResponses())
        .globalResponses(HttpMethod.PUT, getDefaultResponses())
        .globalResponses(HttpMethod.PATCH, getDefaultResponses())
        .globalResponses(HttpMethod.DELETE, getDefaultResponses())
        .directModelSubstitute(LocalDate.class, String.class)
        .directModelSubstitute(LocalTime.class, String.class)
        .directModelSubstitute(LocalDateTime.class, String.class)
        .directModelSubstitute(Instant.class, String.class)
        .directModelSubstitute(OffsetTime.class, String.class)
        .directModelSubstitute(OffsetDateTime.class, String.class)
        .directModelSubstitute(ZonedDateTime.class, String.class)
        .additionalModels(typeResolver.resolve(ErrorInfo.class))
        .genericModelSubstitutes(DeferredResult.class)
        .select()
        .apis(RequestHandlerSelectors.basePackage(basePackage))
        .paths(PathSelectors.ant(urlPrefix + "/**"))
        .build();
}

Security settings for docket

private static SecurityScheme oauth2SecurityScheme() {
    return OAuth2Scheme.OAUTH2_PASSWORD_FLOW_BUILDER
        .tokenUrl("https://****/protocol/openid-connect/token")
        .name("OAUTH2")
        .scopes(Collections.singletonList(new AuthorizationScope("openid", "accessEverything")))
        .build();
}

private static SecurityContext oauth2SecurityContext() {
    return SecurityContext.builder().securityReferences(Collections.singletonList(oauth2SecurityReference())).build();
}

private static SecurityReference oauth2SecurityReference() {
    AuthorizationScope[] authScopes = new AuthorizationScope[1];
    authScopes[0] = new AuthorizationScopeBuilder()
        .scope("whatever")
        .description("accessEverything")
        .build();
    return SecurityReference.builder()
        .reference("OAUTH2")
        .scopes(authScopes)
        .build();
}

In swagger everything looks fine. Scope can be selected and by clicking on Authorize button token is obtained from SSO and sent to Authorization object in header correctly with prefix Bearer and API returns 200. I expect some 40X unauthorized response because of different scope values.

My swagger showcase

Would you please suggest why this behavior occurs or what is wrong with my expectations?

question from:https://stackoverflow.com/questions/65941873/oauth2-securityreference-auhtorizationscope-ignored-in-swagger-docket-configurat

Answer 1

Waitting for answers