I have written an OpenAPI specification for an api in a YAML file. The operations require authentication using a JWT that is sent as a bearer token. When I generate a server that uses eg. Java Spring (or any other framework/language), there seems to be no place in the code where the JWT is validated, meaning checked whether the JWT is actually valid.
I haven’t been able to find any explanation for this. I’d imagine there would be an interface, which could be implemented, that would provide a way to check if a JWT grants access to the resource. If the JWT would be invalid, an error could be returned to the client. Are all requests accepted, regardless of what the contents of the JWT actually are?
Here is an example OpenAPI spec:
openapi: 3.0.0
info:
version: 1.0.0
title: JWT-test
description: An API for testing JWT authentication.
components:
securitySchemes:
bearerAuth:
description: Authentication with a JWT.
type: http
scheme: bearer
bearerFormat: JWT
responses:
Unauthorized:
description: The JWT is either missing or is invalid
security:
- bearerAuth: []
servers:
- url: "http://localhost/test"
paths:
/hello:
get:
responses:
'200':
description: Successful response
The operation GET /hello is secured using a JWT, but the JWT is not validated anywhere in the generated server, nor is there any interface which would allow to implement such functionality.
And it is generated using java -jar ~/openapi-generator-cli.jar generate -g spring -i spec.yaml -o output.
Do you mean that auth is done via OAuth 2 or OpenID Connect (OIDC)? just the keyword “JWT” for auth is not enough information to really help you any further. But JWT is a popular method used in the aforementioned auth specs.
@cyberbrain The JWT is used as a bearer token, sent as a header in requests. The token proves the identity of the client. I’m not trying to use OAuth 2.0. Sorry, I didn’t make it clear enough that I’m using a bearer token. The same server gives these JWTs to the clients, using a custom API.