-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Plugin generation] Kiota should throw error when api contains OAuth with implicit flow #5403
Comments
The original issue for checking the authentication type #5070 was underspecified, TTK really only supports oauth2 with authcode flow when looking into https://github.com/OfficeDev/teams-toolkit/blob/7422a1dffb7d54ca5e926e025fcdc72ae0380e17/packages/spec-parser/src/manifestUpdater.ts#L115 @sebastienlevert , @darrelmiller Please confirm Sydney does not support OAuth with implicit flow for GA. |
Implicit OAuth2 flow is not supported by Copilot. However, just because an OpenAPI does not say the API supports OAuth2 AuthCode does not mean the API doesn't support it. We should not fail to generate a Plugin because of this. There are many OpenAPI descriptions that do not describe the security capabilities of an API. In fact only 25% of OpenAPI descriptions contain security information. Security information is often conveyed out-of-band. |
Thanks @darrelmiller , so closing as WON'T DO for GA now. We can come back later and revisit if needed. |
@darrelmiller , I think you're right If a user doesn't specify security in their API spec, it doesn't imply the API has no authentication. However, if the API spec includes authentication, we should assume it only supports the specified auth schemes. We could either throw an error or warn the user if an unsupported auth scheme is used, to prevent errors when their plugin runs in Copilot. Currently, Kiota generates an auth code flow auth property in the ai-plugin.json file when encountering an implicit OAuth flow in OpenAPI spec without throw error or warning messages, potentially causing unexpected behavior when running in Copilot. If we want to avoid blocking the user from generating the plugin file, it's advisable to display a warning message and generate the ai-plugin file without authentication. This allows the user to add the authentication details themselves later. |
I agree with @SLdragon . We shouldn't fail on OpenAPI descriptions that doesn't specify security, but it the security is specified, we should check and just create plugins when the authentication flow is supported. |
What are you generating using Kiota, clients or plugins?
Kiota plugin
In what context or format are you using Kiota?
Windows executable
Client library/SDK language
None
Describe the bug
Copilot not support OAuth with implicit flow, currently it only support OAuth with authcode flow. Kiota should throw error if user selected API contains OAuth with implicit flow.
Sample schema:
https://raw.githubusercontent.com/SLdragon/example-openapi-spec/main/oauth-implicit.yaml
Related bug:
#5288
#5070
#5162
Expected behavior
Kiota should throw error
How to reproduce
Open sample schema: https://raw.githubusercontent.com/SLdragon/example-openapi-spec/main/oauth-implicit.yaml -> click generate plugin
Open API description file
No response
Kiota Version
v1.18.100000002
Latest Kiota version known to work for scenario above?(Not required)
No response
Known Workarounds
No response
Configuration
No response
Debug output
Click to expand log
```The text was updated successfully, but these errors were encountered: