Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: added content for securing operations #2404

Merged
merged 6 commits into from
Dec 16, 2023
Merged

docs: added content for securing operations #2404

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
796683b
adding content about securing operations
BhaswatiRoy Dec 7, 2023
da08304
Merge branch 'master' into securing-operations
derberg Dec 14, 2023
89de001
Update securing-operations.md
derberg Dec 14, 2023
b4623a6
Merge branch 'master' into securing-operations
quetzalliwrites Dec 16, 2023
7db8062
tw editorial fixes
quetzalliwrites Dec 16, 2023
e1d33c8
Merge branch 'master' into securing-operations
quetzalliwrites Dec 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions pages/docs/concepts/asyncapi-document/securing-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
---
title: 'Operation security'
weight: 120
---

The server security concept in AsyncAPI means that the security settings specified at the server level automatically apply to all operations across all channels. If you want to modify these default security settings for a particular operation, you need to specify the security details directly on that operation.

## Add security

To accommodate such scenarios, the AsyncAPI document allows you to use the `security` field at the `operation` level. You can have multiple security schemes, but only one must be satisfied to authorize such an operation.

The diagram below describes how to implement reusable security schemes:

```mermaid
graph LR
C[components]
F[address]
I[messages]
A[components]
B[securitySchemes]
D[security]
C --> F
C --> I
C --> D
D --> |$ref| B
A --> B

style C fill:#47BCEE,stroke:#000;
style D fill:#47BCEE,stroke:#000;
```

## Operation section

Security information for an operation is defined using a [Security Scheme](/docs/reference/specification/v3.0.0#securitySchemeObject) at the operation level. You can reference a scheme from another location, such as `components.securitySchemes`, using the `$ref` keyword.

```yaml
operations:
sendAuthRevoke:
action: send
channel:
$ref: '#/channels/authRevoke'
security:
- type: oauth2
description: The oauth security descriptions
flows:
clientCredentials:
tokenUrl: 'https://example.com/api/oauth/dialog'
availableScopes:
'subscribe:auth_revocations': Scope required for authorization revocation topic
scopes:
- 'subscribe:auth_revocations'
```

The previous example, featuring the `sendAuthRevoke` operation in an AsyncAPI document, demonstrates the capabilities of a client application with an existing notification service. If a server has its own security requirements, this operation must also comply with those.

## `securitySchemes` section

To reuse security schemes between operations, place them in `components.securitySchemes` and reference them via the `$ref` keyword in your operation:

```yaml
operations:
sendAuthRevoke:
action: send
channel:
$ref: '#/channels/authRevoke'
security:
- $ref: '#/components/securitySchemes/oauth'

components:
securitySchemes:
oauth:
type: oauth2
description: The oauth security descriptions
flows:
clientCredentials:
tokenUrl: 'https://example.com/api/oauth/dialog'
availableScopes:
'subscribe:auth_revocations': Scope required for authorization revocation topic
scopes:
- 'subscribe:auth_revocations'
```

The previous code snippet shows the approach for reusing schema within multiple operations, even across multiple AsyncAPI documents.