Support security OAuth2 scopes on operations

[jimmyjames]

Operations may define the required OAuth2 scope. For example, in the example PetStore spec, to POST to the /pet endpoint to create a new Pet, it is required that the token have read and write permissions:

security:
  - petstore_auth
      - 'write:pets'
      - 'read:pets'

You can see from the demo that the required auth scopes are not shown for the operation.

Is it on the near-term roadmap to support rendering the required auth scopes for an operation? We are loving ReDoc, but this is a pretty big deal as users need to know the required auth scope.

[jimmyjames]

If this is something that is agreed-upon as a good feature, I'm willing to help with a PR to get this in.

[jimmyjames]

I have this working by showing any OAuth2 scopes beneath the responses for each operation (won't display if there are no oauth2 scopes for an operation):

There are other UX possibilities of course, like adding the security info all in a tip (for example with a little padlock icon that shows the security scopes when hovering over, next to the operation description).

I'll follow with a PR for what I've done if this looks like a good first step. Thanks!

[Schandlich]

@jimmyjames I would love to see it be associated with the request vs. the response personally.

[jimmyjames]

Yeah @Schandlich I kind of agree. What about something like this, where there's a tooltip hint floated right of the operation (similar to Swagger UI):

[Schandlich]

@jimmyjames I think the location is right. I would use a different icon though. Excited for this!

[RomanHotsiy]

@jimmyjames sorry for long reply!

This looks awesome. Proceed with PR please!

[jimmyjames]

@RomanGotsiy will do, need to move it from proof-of-concept to PR-worthy (me no Angular so well 😄 ). I used a ! since I didn't find any imgs in the project, wasn't sure if that was just because there hasn't been a need yet, or due to a design/performance consideration. I can either stick with that or try and find some type of padlock icon to use instead...

[RomanHotsiy]

Start with ! and then we will figure out how to add padlock icon in PR comments :)

[bandantonio]

Having OAuth2 scopes for API calls is a highly requested feature for us too.
I would love to see the scopes somewhere above call parameters listing, as this seems to be the best place for them:

I'm ready to contribute to make ReDoc even better. I really love this tool!

[jonyw4]

+1 this feature will be awesome! I can help too

[theholiday]

+1 would really like this,

[serafimpinto]

+1 for sure!

[robdefeo]

What is the status of this feature? Currently there is no way to see security at an operation leve.

[theholiday]

I think it's being worked on in version 2.

[RomanHotsiy]

as @theholiday mentioned this is being worked on in version 2. Here is the screenshot of the current implementation:

If anyone has a better idea of how to visualize this, please share here!

[RomanHotsiy]

I just noticed it's a dup of #7. Let's track this there.
Closing this issue.