Skip to content

Add helper to describe API-key authentication in OpenAPI spec#763

Open
ushahid88 wants to merge 2 commits intoKaliumhexacyanoferrat:mainfrom
ushahid88:feature/openapi-authentication
Open

Add helper to describe API-key authentication in OpenAPI spec#763
ushahid88 wants to merge 2 commits intoKaliumhexacyanoferrat:mainfrom
ushahid88:feature/openapi-authentication

Conversation

@ushahid88
Copy link

@ushahid88 ushahid88 commented Dec 1, 2025

This PR addresses issue #685 by adding a helper to describe API-key based authentication in the generated OpenAPI document.

  • Adds OpenApiConcernBuilder.WithApiKeyAuthentication(...), which:
  • Registers an apiKey security scheme for a configurable header.
  • Adds a security requirement referencing that scheme to matching paths.
  • Ensures a 401 Unauthorized response is documented for those operations.
  • Adds TestApiKeyAuthenticationIsReflected to verify the behavior.

Tests pass for .net8.0 and .net10.0 locally.

@Kaliumhexacyanoferrat
Copy link
Owner

Kaliumhexacyanoferrat commented Dec 1, 2025

Thank you very much for your contribution - will give a review the next few days!

@ushahid88
Copy link
Author

ushahid88 commented Dec 1, 2025

Thank you very much for your contribution - will give a review the next few days!

Thank you for taking the time to look at it, please let me know if further changes are required, I’ll be happy to update the PR.

@Kaliumhexacyanoferrat
Copy link
Owner

Kaliumhexacyanoferrat commented Dec 2, 2025

Thanks - while the changes suggested work, the users will typically expect the framework to automatically pick up the authentication and to adjust the generated OpenAPI document accordingly.

For this to work, we can:

  1. Add a new IApiExplorer that will detect the api key authentication
  2. Extend the discovery mechanism (ApiDiscoveryRegistry.ExploreAsync() and IApiExplorer) to somehow propagate the authentication information down to where the operation is created (MethodHandlerExplorer). This could either be a Stack or a single object or even better a delegate that will do the modifications
  3. Adjust the newly created api key explorer to fill this information
  4. Update the MethodHandlerExplorer to apply the security related adjustments

It is fine for this to work only with API keys for now (in constract to JWT, basic auth, mTLS, ...), nevertheless the logic needs to be generic (so no api key in the wording of the concepts and functions).

I hope this can give you a picture how this feature is intended to work - if you would like, you can adjust this PR accordingly, otherwise I will give it a try later this month.

Kaliumhexacyanoferrat

This comment was marked as off-topic.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kaliumhexacyanoferrat Kaliumhexacyanoferrat Kaliumhexacyanoferrat requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ushahid88 @Kaliumhexacyanoferrat @umairshahid88