Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: added content for securing operations #2172

Closed
wants to merge 14 commits into from
Closed

docs: added content for securing operations #2172

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
158f16e
added securing-operations
BhaswatiRoy Sep 26, 2023
c2e2fa9
Update pages/docs/concepts/asyncapi-document/_section.md
BhaswatiRoy Oct 3, 2023
fa01502
Update pages/docs/concepts/asyncapi-document/_section.md
BhaswatiRoy Oct 3, 2023
cd1f009
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
d33fcff
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
70de11f
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
31efa94
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
2efe7b5
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
3f067e3
Update pages/docs/concepts/asyncapi-document/securing-operations.md
BhaswatiRoy Oct 3, 2023
77b8e96
added description on both ways to add security to operations
BhaswatiRoy Nov 23, 2023
ad97189
shortened header as per suggestions
BhaswatiRoy Nov 23, 2023
9635743
replaced v2 examples with v3 ones
BhaswatiRoy Nov 23, 2023
5593586
added objects under security in v3
BhaswatiRoy Nov 23, 2023
13ae5ac
removed enforce/override statement
BhaswatiRoy Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pages/docs/concepts/asyncapi-document/_section.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
title: Securing Operations
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved
weight: 150
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved
---
49 changes: 49 additions & 0 deletions pages/docs/concepts/asyncapi-document/securing-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
In an AsyncAPI document, the concept of server security implies that the security measures defined at the server level apply to all operations within all channels by default.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved

## Features of Security in AsyncAPI Documents
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved

- The security requirements specified at the server level are enforced consistently across the entire API.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved

- There may be situations where certain operations within specific channels require different security measures than the default server-level settings.

- To accommodate such scenarios, AsyncAPI allows you to use the security property at the operation level.

- By using the security property at the operation level, you can override the default server-level security and define unique security requirements for individual operations.

- Gives the flexibility to tailor the security measures to the specific needs of each operation, even if they differ from the broader server-level settings.

- When you include the security property at the operation level, it takes precedence over the server-level security settings for that particular operation.

- The security measures specified at the operation level will be applied instead of the default server-level security.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved

## Specifying Security Requirement

To specify different security requirements for a specific operation, you can include the security property within the operation's definition.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved
The security property is an array where you can define one or more security requirement objects.

For example, let's say you have an AsyncAPI document with a channel called users and two operations within that channel: createUser and getUser.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved
The server-level security is set to use API key authentication for all operations within all channels.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you cannot enforce as it is not about overriding,

it is like providing alternative for what is already in the server. Of course you can do a server without security, then have different operations and channels on the same server, each operation with different security - still, it is not overriding/enforcing if you know what I mean

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unable to understand how to improve the content as per your suggestions.
could you please attach some examples or maybe give me a bit more info about the same?

Copy link
Collaborator Author

@BhaswatiRoy BhaswatiRoy Nov 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you cannot enforce as it is not about overriding,

it is like providing alternative for what is already in the server. Of course you can do a server without security, then have different operations and channels on the same server, each operation with different security - still, it is not overriding/enforcing if you know what I mean

I have removed the line that stated about enforcing/overriding, though not sure if I still was able to resolved the suggestion.

However, you want to enforce OAuth2 authentication specifically for the getUser operation.

You can achieve this by including the security property at the operation level, as shown in the following example:

```
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved
channels:
users:
publish:
summary: Creates a user
operationId: createUser
message:
...
subscribe:
summary: Retrieves user information
operationId: getUser
message:
...
security:
- OAuth2: []
```

In this example, the security property is added under the getUser operation, indicating that the OAuth2 security requirement should be applied to that specific operation within the user's channel. The empty array [] signifies that no additional configuration is needed for the OAuth2 security mechanism.
BhaswatiRoy marked this conversation as resolved.
Show resolved Hide resolved

Utilizing the security property at the operation level allows you to deviate from the server-level security settings and define unique security requirements for individual operations within your AsyncAPI document. The capability ensures that you can adequately secure your API operations, even if they require different security measures.
Loading