[FEATURE REQUEST] security scope

[cappelaere]

Is your feature request related to a problem? Please describe.
Current security scopes are at the full API level. Given the granularity available, it would be great to have it at the message level.

Can't it be tackled using specification extensions?
Since scopes are already defined at securty scheme level, they ought to be used at the message level and used for code generation as well.

Describe the solution you'd like
I would like to have the ability to define an array of scopes at the message level that would be necessary for a user to have in order to publish or subscribe. The array would allow anyone of the scopes to be acceptable,

Example:

smartylighting/streetlights/1/0/action/{streetlightId}/turn/on:
    parameters:
      streetlightId:
        $ref: '#/components/parameters/streetlightId'
    publish:
      operationId: turnOn
      traits:
        - $ref: '#/components/operationTraits/kafka'
      message:
        $ref: '#/components/messages/turnOn'
      security:
        - supportedOauthFlows:
            - streetlights:turnOn

[github-actions]

Welcome to AsyncAPI. Thanks a lot for reporting your first issue.

Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

[derberg]

Hi @cappelaere, could you please format the code sample with markdown so it is easier to read? Thanks

[cappelaere]

Updated the example to follow OpenAPI 3.0 to apply security scopes at the message level.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 30 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 30 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

[Neverbolt]

I too would very much like this feature to be included in the base specification, since as of now the authorization constructs are not very advanced and being able to specify scopes at an Operation level would allow a much more fine grained control and documentation as well as code generation.

Is there any way to support this feature, eg. would a pull request be considered?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 60 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

[derberg]

@Neverbolt contribution is always welcome, have a look at our contribution guide that explains how to contribute changes to the spec. Most important before PR is to discuss the solution first. Would love to see how you imagine it fixed in the spec.

[derberg]

@cappelaere @Neverbolt you should definitely have a look at #584

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴
It will be closed in 60 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation.
Thank you for your contributions ❤️

[derberg]

@cappelaere @Neverbolt did you have a chance to look at #584 ?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[derberg]

I'm closing this one as there are no responses
@cappelaere @Neverbolt please join discussion #584 ? every single voice from the community helps in adding the feature, especially that we have a champion there that drives the topic