How to remove Top level document security

[dbartumeu]

I'm adding JWT authorization to the document:

 document.AddSecurity("JWT", 
    Enumerable.Empty<string>(),
    new OpenApiSecurityScheme {
    Type = OpenApiSecuritySchemeType.ApiKey,
    Name = "Authorization",
    In = OpenApiSecurityApiKeyLocation.Header,
    Description = "Type into the textbox: Bearer {your JWT token}."
});

document.OperationProcessors.Add(
    new AspNetCoreOperationSecurityScopeProcessor("JWT")
        //new OperationSecurityScopeProcessor("JWT")
);

and for some reason in the swagger.json it appends the security to the whole document. Ex:

...
"security": [
    {
      "JWT": []
    }
  ]

is there a way to remove that section?

[RicoSuter]

I think that this "security" section is always needed if "securitySchemes" are defined, no?

[dbartumeu]

I just want to put some context:
Values Endpoints don't need authorization at all. As you can see I have a security schemes definition and those endpoints remains without security.

If I add the security section it affects the entire doc. As you can see in the image.

The only way to remove the security icon is append securtity: [] in all endpoints definition. I dont know if there is a way to specify that, because i tried with [AllowAnonymous] and didn't work;

[RicoSuter]

Did you add AspNetCoreOperationSecurityScopeProcessor?

[RicoSuter]

https://github.com/RicoSuter/NSwag/wiki/AspNetCore-Middleware#add-oauth2-authorization-openapi-3

[RicoSuter]

I think you can also add the appender instead of AddSecurity without scopeNames

NSwag/src/NSwag.AspNetCore/Extensions/NSwagSwaggerGeneratorSettingsExtensions.cs

Line 29 in 85ae862

settings.DocumentProcessors.Add(new SecurityDefinitionAppender(name, scopeNames, swaggerSecurityScheme));

[dbartumeu]

I changed the code to:

document.DocumentProcessors.Add(
    new SecurityDefinitionAppender("JWT", Enumerable.Empty<string>(),
        new OpenApiSecurityScheme
    {
        Type = OpenApiSecuritySchemeType.ApiKey,
        Name = "Authorization",
        In = OpenApiSecurityApiKeyLocation.Header,
        Description = "Type into the textbox: Bearer {your JWT token}."
}));

and still getting the same issue.

[RicoSuter]

Remove the second enumerable parameter

[dbartumeu]

you mean like this?

document.DocumentProcessors.Add(
    new SecurityDefinitionAppender("JWT",
    new OpenApiSecurityScheme
    {
        Type = OpenApiSecuritySchemeType.ApiKey,
        Name = "Authorization",
        In = OpenApiSecurityApiKeyLocation.Header,
        Description = "Type into the textbox: Bearer {your JWT token}."
    })
);

[RicoSuter]

Yep, this way “security” should not be generated (not sure if this is correct though)

[dbartumeu]

Yes you are right but now is not generating security for controllers that require authentication

[dbartumeu]

And now i got it. Here is the final code:

document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("JWT"));

document.DocumentProcessors.Add(
  new SecurityDefinitionAppender("JWT",
	new OpenApiSecurityScheme
	{
	  Type = OpenApiSecuritySchemeType.ApiKey,
	  Name = "Authorization",
	  In = OpenApiSecurityApiKeyLocation.Header,
	  Description = "Type into the textbox: Bearer {your JWT token}."
	})
);

[RicoSuter]

And this works as expected?

[dbartumeu]

yes, but i have a warning because the overload is obsolete.

[RicoSuter]

Ok, then both overloads are valid and obsolete has to be removed, right?

[RicoSuter]

Will create a pr for review tomorrow

[dbartumeu]

yes that's right. thank you so much for your help.

[RicoSuter]

Created PR: #2305
What do you think?