security: Using Multiple Authentication Types

[utherbit]

Description

My API needs multiple authentication keys at once. I can achieve this using middleware, but I have to create a blank SecurityHandler. It would be cool if the SecurityHandler provided me with key combinations.

Currently, SecurityHandler only supports the "or" option from the example below.

Desired result:
For the second example, you need to generate one SecurityHandler method, not two.
For the third example - two methods, not 4

References

https://swagger.io/docs/specification/authentication/
scroll to "Using Multiple Authentication Types"

Some REST APIs support several authentication types. The security section lets you combine the security requirements using logical OR and AND to achieve the desired result. security uses the following logic

security:    # A OR B
  - A
  - B

security:    # A AND B
  - A
    B

security:    # (A AND B) OR (C AND D)
  - A
    B
  - C
    D

[tdakkota]

To generate a method, ogen needs a method name. What name should be used? Handle<A><B> does not sound great, especially if there is more than two security requirements and each one have name longer than one letter.

Also, this is become pretty complicated, since each operation in the spec may have its own set of security requirements.

Currently, SecurityHandler only supports the "or" option from the example below.

No, ogen checks whether if it is A and B or C and D. But if you want to pass some data from security handler, you need to pass it through context.Context .

[utherbit]

You are right, the method name will be long. Now the signature of the security methods will go beyond the boundary, it will be even worse.

In this form it is really not an easy task.

However, I do not like the idea of ​​passing through the context, I wrote my http middleware over ogen to not pass the authentication data through the context, because in this case it is not obvious to me at what point the information collection will end and it will be possible to start processing it, unless in the middleware that will be executed after the security handler.

Since I wrote my middleware for authorization, I will have to implement a dummy SecurityHandler, since it is mandatory.

I like the logic that currently checks authentication (with a bitmap). But I think it is enough that it checks for the presence of the required headers.

I have an idea, which is probably not the best. Maybe it would be more convenient to make one handler for all authentication methods? I see this as a ServerOption similar to WithErrorHandler or WithNotFound eg WithAuthenticationHandler

Changes to this logic will be critical in any case, so I don't expect a decision to be made anytime soon.