Add support for all OAuth2 flows in securitySchemes configuration

[danielsharvey]

Description

I received this error:

❗️ SDK warning: unsupported security scheme. Please open an issue if you'd like it added https://github.com/hey-api/openapi-ts/issues
{
  "type": "oauth2",
  "flows": {
    "authorizationCode": {
      "authorizationUrl": "/login",
      "tokenUrl": "/oauth/token",
      "scopes": {}
    }
  }
}

I can see that only password is supported presently:

openapi-ts/packages/openapi-ts/src/plugins/@hey-api/sdk/plugin.ts

Lines 130 to 140 in 7eebbef

	if (securitySchemeObject.type === 'oauth2') {
	// TODO: parser - handle more/multiple oauth2 flows
	if (securitySchemeObject.flows.password) {
	return {
	scheme: 'bearer',
	type: 'http',
	};
	}
	return;
	}

This remains true even in the new feat/security-basic branch:

openapi-ts/packages/openapi-ts/src/plugins/@hey-api/sdk/plugin.ts

Lines 190 to 197 in 646064d

	if (securitySchemeObject.type === 'oauth2') {
	if (securitySchemeObject.flows.password) {
	security.push({
	fn: 'accessToken',
	in: 'header',
	name: 'Authorization',
	});
	}

From docs OAuth 2.0 | Swagger Docs the following are valid:

• authorizationCode – Authorization Code flow (previously called accessCode in OpenAPI 2.0)
• implicit – Implicit flow
• password – Resource Owner Password flow
• clientCredentials – Client Credentials flow (previously called application in OpenAPI 2.0)

Generally, these all use a bearer token for making requests so the implementation (new and old) would apply for each of these. For me, my current workaround is simply to using the password flow when generating.

Can we update (both) branches to accept all of theses flows?

Of note, the main branch includes support for the bearer scheme but this appears to have been remove from the new feat/security-basic branch. It should probably be supported in the same manner as OAuth2?

openapi-ts/packages/openapi-ts/src/plugins/@hey-api/sdk/plugin.ts

Lines 162 to 174 in 7eebbef

	if (securitySchemeObject.type === 'http') {
	if (
	securitySchemeObject.scheme === 'bearer' ||
	securitySchemeObject.scheme === 'basic'
	) {
	return {
	scheme: securitySchemeObject.scheme,
	type: 'http',
	};
	}
	return;
	}

[mrlubos]

Yep! Although I am not sure how you came across the feat/security-basic branch, it's not an active branch so disregard anything there, that should be outdated

[Rigel772]

I am getting similar warning after recent package upgrade:

❗ SDK warning: unsupported security scheme. Please open an issue if you'd like it added https://github.com/hey-api/openapi-ts/issues
{
  "type": "oauth2",
  "flows": {
    "authorizationCode": {
      "scopes": {},
      "authorizationUrl": "https://auth.info/realms/biostrefa/protocol/openid-connect/auth",
      "tokenUrl": "https://auth.info/realms/biostrefa/protocol/openid-connect/token"
    }
  }
}

Does it mean I will not be able to use Keycloak auth?

[mrlubos]

@Rigel772 Perhaps that warning message should be clearer. This just wasn't being shown before the recent release, nothing has changed in the runtime behaviour. What it means is the automatic auth won't work with your scheme. You could try to make it work with an interceptor in the meantime, but yes, the correct fix will be to add support to this package

[danielsharvey]

Yep! Although I am not sure how you came across the feat/security-basic branch, it's not an active branch so disregard anything there, that should be outdated

Thanks. Ah sorry re branch mistake, I did not review the history closely enough.

[danielsharvey]

I am getting similar warning after recent package upgrade:

<snip>

Does it mean I will not be able to use Keycloak auth?

For me, I manually updated the flow to “password” in my source OpenAPI. This means that the I can use the auth: () => '<my_token>' config. Otherwise, you can set the header yourself.

See https://heyapi.dev/openapi-ts/clients/fetch#auth

[jgerigmeyer]

Perhaps that warning message should be clearer. This just wasn't being shown before the recent release, nothing has changed in the runtime behaviour. What it means is the automatic auth won't work with your scheme. You could try to make it work with an interceptor in the meantime, but yes, the correct fix will be to add support to this package

@mrlubos Would you be open to something that allows users to silence the warning in certain cases? We're using cookie auth, and it seems like a lot of extra noise to now get the repeated warning on every build.

❗️ SDK warning: unsupported security scheme. Please open an issue if you'd like it added https://github.com/hey-api/openapi-ts/issues
{
  "type": "apiKey",
  "in": "cookie",
  "name": "fastapiusersauth"
}

[mrlubos]

@jgerigmeyer there's already a logging option, so it would be a matter of hooking this warning up and then if you choose silent level it wouldn't print anything. Though in this case the idea is people would come here to complain and I'll know which auth should be added next. In this case, cookies 😀