jsonschema - 开放 API 规范 JWT - 子路径没有安全性

Question

我有以下规范，

# [START swagger]
swagger: "2.0"
info:
  description: "A simple Google Cloud Endpoints API example."
  title: "Endpoints Example"
  version: "1.0.0"
# [END swagger]
# For App Engine deployments, delete the above "host:" line and remove the "# "
# from the following line. Then change YOUR-PROJECT-ID to your project id.
host: "<Hostname>"
basePath: "/"
consumes:
- "application/json"
produces:
- "application/json"
schemes:
- "https"
paths:
  "/users/{latitude}/{longitude}":
    get:
      description: List of users
      operationId: fetchusers
      produces:
        - application/json
        - application/xml
        - text/xml
        - text/html
      parameters:
        - name: latitude
          in: path
          description: Latitude component of location.
          required: true
          type: number
          format: double

        - name: longitude
          in: path
          description: Longitude component of location.
          required: true
          type: number
          format: double

      responses:
        '200':
          description: List of nearest users
          schema:
            $ref: '#/definitions/users'
        default:
          description: unexpected error
          schema:
            $ref: '#/definitions/errorModel'
      security:
        - firebase: []

  "/users":
    get:
      description: List of users
      operationId: fetchAllusers
      produces:
        - application/json
      parameters:
      - description: "users List"
        in: body
        name: message
        required: true
        schema:
          $ref: "#/definitions/echoMessage"
      responses:
        '200':
          description: List of nearest users
          schema:
            $ref: '#/definitions/users'
        default:
          description: unexpected error
          schema:
            $ref: '#/definitions/errorModel'
      security:
        - firebase: []
  "/users/search":
    post:
      description: "Search users"
      operationId: "searchusers"
      produces:
      - "application/json"
      responses:
        200:
          description: "users List"
          schema:
            $ref: "#/definitions/echoMessage"
      parameters:
      - description: "Search Criteria"
        in: body
        name: message
        required: true
        schema:
          $ref: "#/definitions/echoMessage"
      security:
        - firebase: []
  "/auth/info/googlejwt":
    get:
      description: "Returns the requests' authentication information."
      operationId: "auth_info_google_jwt"
      produces:
      - "application/json"
      responses:
        200:
          description: "Authenication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
      - google_jwt: []
  "/auth/info/googleidtoken":
    get:
      description: "Returns the requests' authentication information."
      operationId: "authInfoGoogleIdToken"
      produces:
      - "application/json"
      responses:
        200:
          description: "Authenication info."
          schema:
            $ref: "#/definitions/authInfoResponse"
      security:
      - google_id_token: []
definitions:
  echoMessage:
    properties:
      message:
        type: "string"
  authInfoResponse:
    properties:
      id:
        type: "string"
      email:
        type: "string"
# This section requires all requests to any path to require an API key.
security:
- api_key: []
securityDefinitions:
  # This section configures basic authentication with an API key.
  api_key:
    type: "apiKey"
    name: "key"
    in: "header"
  # This section configures authentication using Google API Service Accounts
  # to sign a json web token. This is mostly used for server-to-server
  # communication.
  google_jwt:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    # This must match the 'iss' field in the JWT.
    x-google-issuer: "jwt-client.endpoints.sample.google.com"
    # Update this with your service account's email address.
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
    # This must match the "aud" field in the JWT. You can add multiple
    # audiences to accept JWTs from multiple clients.
    x-google-audiences: "echo.endpoints.sample.google.com"
  # This section configures authentication using Google OAuth2 ID Tokens.
  # ID Tokens can be obtained using OAuth2 clients, and can be used to access
  # your API on behalf of a particular user.
  google_id_token:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://accounts.google.com"
    x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
    # Your OAuth2 client's Client ID must be added here. You can add
    # multiple client IDs to accept tokens from multiple clients.
    x-google-audiences: "YOUR-CLIENT-ID"
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "https://securetoken.google.com/<PROJECT-ID>"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="14677177616671607b7f717a54676d676071793a73677166627d77717577777b617a603a777b79" rel="noreferrer noopener nofollow">[email protected]</a>"
    x-google-audiences: "<PROJECT-ID>"

而且还会有更多服务。正如你所看到的，我已经给出了各种安全定义。我将为不同的路径使用不同的安全定义。默认情况下，我想为所有路径启用 api_key，但我想为某些路径禁用此安全性，如何实现这一点？

Answer 1

我认为您应该按照以下步骤关闭特定方法的 API key 验证，即使您限制了 API 访问

1. 在文本编辑器中打开项目的 openapi.yaml 文件。
2. 在方法的定义中添加一个空安全指令:

paths:
  "/echo":

post:

  description: "Echo back a given message."

  operationId: "echo"

  security: []

  produces:

引用:https://cloud.google.com/endpoints/docs/openapi/restricting-api-access-with-api-keys