Add configurable SecuritySchemes for OpenAPI auth

Introduce SignalROpenApiOptions.SecuritySchemes to allow custom authentication schemes in OpenAPI docs. Remove hardcoded Bearer scheme; generator now uses user-configured schemes. Update README and Program.cs with JWT Bearer examples. Expand tests to verify scheme inclusion and security requirements. Enables flexible, explicit authentication configuration.

Author: icnocop

README.md

@@ -82,6 +82,16 @@ builder.Services.AddSignalROpenApi(options =>
     // Each entry appears as an apiKey security scheme (in: header) so users
     // can enter a value at runtime before invoking hub methods.
     options.ApiKeyHeaders["X-Custom-Header"] = "A custom header sent with every hub connection.";
+
+    // Security schemes applied to operations with [Authorize].
+    // Define the authentication methods that SwaggerUI exposes in the Authorize dialog.
+    options.SecuritySchemes["Bearer"] = new Microsoft.OpenApi.Models.OpenApiSecurityScheme
+    {
+        Type = Microsoft.OpenApi.Models.SecuritySchemeType.Http,
+        Scheme = "bearer",
+        BearerFormat = "JWT",
+        Description = "JWT Bearer token for SignalR hub authentication.",
+    };
 });
 
 builder.Services.AddSignalRSwaggerUi(options =>

samples/SignalR.OpenApi.Sample/Program.cs

@@ -1,6 +1,7 @@
 // Copyright (c) SignalR.OpenApi Contributors. Licensed under the MIT License.
 
 using FluentValidation;
+using Microsoft.OpenApi.Models;
 using SignalR.OpenApi.Extensions;
 using SignalR.OpenApi.Sample.Hubs;
 
@@ -33,6 +34,16 @@
     // Each entry appears as an apiKey security scheme (in: header) so users
     // can enter a value at runtime before invoking hub methods.
     options.ApiKeyHeaders["X-Custom-Header"] = "A custom header sent with every hub connection.";
+
+    // Security schemes applied to operations with [Authorize].
+    // Define the authentication methods that SwaggerUI exposes in the Authorize dialog.
+    options.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+    {
+        Type = SecuritySchemeType.Http,
+        Scheme = "bearer",
+        BearerFormat = "JWT",
+        Description = "JWT Bearer token for SignalR hub authentication. The token is passed via the SignalR connection's accessTokenFactory.",
+    };
 });
 builder.Services.AddSignalRFluentValidation();
 builder.Services.AddSignalRSwaggerUi(options =>

src/SignalR.OpenApi/Generation/SignalROpenApiDocumentGenerator.cs

@@ -76,7 +76,7 @@ public OpenApiDocument GenerateDocument(IReadOnlyList<SignalRHubInfo> hubs)
 
         if (requiresAuth)
         {
-            AddSecuritySchemes(document);
+            this.AddConfiguredSecuritySchemes(document);
         }
 
         this.AddApiKeyHeaderSchemes(document);
@@ -138,19 +138,6 @@ private static void AddSignalRExtension(
         operation.Extensions["x-signalr"] = extension;
     }
 
-    private static void AddSecuritySchemes(OpenApiDocument document)
-    {
-        document.Components.SecuritySchemes ??= new Dictionary<string, OpenApiSecurityScheme>();
-
-        document.Components.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
-        {
-            Type = SecuritySchemeType.Http,
-            Scheme = "bearer",
-            BearerFormat = "JWT",
-            Description = "JWT Bearer token for SignalR hub authentication. The token is passed via the SignalR connection's accessTokenFactory.",
-        };
-    }
-
     private static void ApplyDataAnnotations(OpenApiSchema schema, ICustomAttributeProvider member)
     {
         var stringLength = GetAttribute<StringLengthAttribute>(member);
@@ -380,6 +367,25 @@ private static Microsoft.OpenApi.Any.OpenApiArray ConvertJsonArray(JsonElement e
         return arr;
     }
 
+    /// <summary>
+    /// Adds the user-configured security schemes from
+    /// <see cref="SignalROpenApiOptions.SecuritySchemes"/> to the document.
+    /// </summary>
+    private void AddConfiguredSecuritySchemes(OpenApiDocument document)
+    {
+        if (this.options.SecuritySchemes.Count == 0)
+        {
+            return;
+        }
+
+        document.Components.SecuritySchemes ??= new Dictionary<string, OpenApiSecurityScheme>();
+
+        foreach (var scheme in this.options.SecuritySchemes)
+        {
+            document.Components.SecuritySchemes[scheme.Key] = scheme.Value;
+        }
+    }
+
     /// <summary>
     /// Adds <c>apiKey</c> security schemes for each configured
     /// <see cref="SignalROpenApiOptions.ApiKeyHeaders"/> entry.
@@ -1151,24 +1157,26 @@ private OpenApiOperation CreateOperation(SignalRHubInfo hub, SignalRMethodInfo m
             };
         }
 
-        // Security
-        if (method.RequiresAuthorization || (hub.RequiresAuthorization && !method.AllowAnonymous))
+        // Security — reference every configured scheme so the lock icon
+        // and Authorize dialog cover all authentication methods.
+        if ((method.RequiresAuthorization || (hub.RequiresAuthorization && !method.AllowAnonymous))
+            && this.options.SecuritySchemes.Count > 0)
         {
-            operation.Security =
-            [
-                new OpenApiSecurityRequirement
+            var requirement = new OpenApiSecurityRequirement();
+            foreach (var schemeId in this.options.SecuritySchemes.Keys)
+            {
+                var schemeRef = new OpenApiSecurityScheme
                 {
-                    [new OpenApiSecurityScheme
+                    Reference = new OpenApiReference
                     {
-                        Reference = new OpenApiReference
-                        {
-                            Type = ReferenceType.SecurityScheme,
-                            Id = "Bearer",
-                        },
-                    }
-                    ] = [],
-                },
-            ];
+                        Type = ReferenceType.SecurityScheme,
+                        Id = schemeId,
+                    },
+                };
+                requirement[schemeRef] = [];
+            }
+
+            operation.Security = [requirement];
         }
 
         var isFlattened = method.Parameters.Count == 1

src/SignalR.OpenApi/SignalROpenApiOptions.cs

@@ -2,6 +2,7 @@
 
 using System.Reflection;
 using System.Text.Json;
+using Microsoft.OpenApi.Models;
 
 namespace SignalR.OpenApi;
 
@@ -104,4 +105,23 @@ public sealed class SignalROpenApiOptions
     /// </code>
     /// </example>
     public IDictionary<string, string> ApiKeyHeaders { get; } = new Dictionary<string, string>(StringComparer.Ordinal);
+
+    /// <summary>
+    /// Gets the security schemes to include in the OpenAPI document when hubs
+    /// require authorization. Each entry is added to <c>components/securitySchemes</c>
+    /// and referenced in the <c>security</c> section of operations with
+    /// <c>[Authorize]</c>. When empty, no authentication scheme is emitted.
+    /// </summary>
+    /// <example>
+    /// <code>
+    /// options.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+    /// {
+    ///     Type = SecuritySchemeType.Http,
+    ///     Scheme = "bearer",
+    ///     BearerFormat = "JWT",
+    ///     Description = "JWT Bearer token for SignalR hub authentication.",
+    /// };
+    /// </code>
+    /// </example>
+    public IDictionary<string, OpenApiSecurityScheme> SecuritySchemes { get; } = new Dictionary<string, OpenApiSecurityScheme>(StringComparer.Ordinal);
 }

test/SignalR.OpenApi.Tests/SignalROpenApiDocumentGeneratorTests.cs

@@ -172,17 +172,50 @@ public void GenerateDocument_ClientEvent_IncludesEventDiscriminators()
     }
 
     /// <summary>
-    /// Verifies security schemes are added when authorized hubs exist.
+    /// Verifies security schemes are added when authorized hubs exist and schemes are configured.
     /// </summary>
     [TestMethod]
-    public void GenerateDocument_AddsSecuritySchemes_WhenAuthorizedHubExists()
+    public void GenerateDocument_AddsSecuritySchemes_WhenAuthorizedHubExistsAndSchemesConfigured()
     {
-        var (discoverer, generator) = CreateServices();
+        var (discoverer, generator) = CreateServices(o =>
+        {
+            o.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "bearer",
+                BearerFormat = "JWT",
+                Description = "JWT Bearer token.",
+            };
+        });
+
         var hubs = discoverer.DiscoverHubs();
         var doc = generator.GenerateDocument(hubs);
 
         Assert.IsNotNull(doc.Components.SecuritySchemes);
         Assert.IsTrue(doc.Components.SecuritySchemes.ContainsKey("Bearer"));
+        Assert.AreEqual(SecuritySchemeType.Http, doc.Components.SecuritySchemes["Bearer"].Type);
+    }
+
+    /// <summary>
+    /// Verifies no security schemes are added when authorized hubs exist but no schemes are configured.
+    /// </summary>
+    [TestMethod]
+    public void GenerateDocument_NoSecuritySchemes_WhenNoneConfigured()
+    {
+        var (discoverer, generator) = CreateServices();
+        var hubs = discoverer.DiscoverHubs();
+        var doc = generator.GenerateDocument(hubs);
+
+        if (doc.Components.SecuritySchemes is not null)
+        {
+            foreach (var scheme in doc.Components.SecuritySchemes.Values)
+            {
+                Assert.AreNotEqual(
+                    SecuritySchemeType.Http,
+                    scheme.Type,
+                    "Should not have HTTP auth schemes when SecuritySchemes is empty.");
+            }
+        }
     }
 
     /// <summary>
@@ -247,7 +280,15 @@ public void GenerateDocument_GeneratesResponseSchema()
     [TestMethod]
     public void GenerateDocument_SetsSecurityOnAuthorizedMethods()
     {
-        var (discoverer, generator) = CreateServices();
+        var (discoverer, generator) = CreateServices(o =>
+        {
+            o.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "bearer",
+            };
+        });
+
         var hubs = discoverer.DiscoverHubs();
         var doc = generator.GenerateDocument(hubs);