Security¶
Basic Authentication¶
With Connexion, the API security definition must include a
x-basicInfoFunc
or set BASICINFO_FUNC
env var. It uses the same
semantics as for x-tokenInfoFunc
, but the function accepts three
parameters: username, password and required_scopes.
You can find a minimal Basic Auth example application in Connexion’s “examples” folder.
ApiKey Authentication¶
With Connexion, the API security definition must include a
x-apikeyInfoFunc
or set APIKEYINFO_FUNC
env var. It uses the same
semantics as for x-basicInfoFunc
, but the function accepts two
parameters: apikey and required_scopes.
You can find a minimal API Key example application in Connexion’s “examples” folder.
Bearer Authentication (JWT)¶
With Connexion, the API security definition must include a
x-bearerInfoFunc
or set BEARERINFO_FUNC
env var. It uses the same
semantics as for x-tokenInfoFunc
, but the function accepts one parameter: token.
You can find a minimal JWT example application in Connexion’s “examples” folder.
Multiple Authentication Schemes¶
With Connexion, it is also possible to combine multiple authentication schemes
as described in the OpenAPI specification. When multiple authentication
schemes are combined using logical AND, the token_info
argument will
consist of a dictionary mapping the names of the security scheme to their
corresponding token_info
.
Multiple OAuth2 security schemes in AND fashion are not supported.
Deploying Authentication¶
Some production hosting environments, such as Apache with modwsgi, do not by default pass authentication headers to WSGI applications. Therefore, to allow connexion to handle authentication, you will need to enable passthrough.
Instructions for enabling authentication passthrough in modwsgi are available as part of the modwsgi documentation.
HTTPS Support¶
When specifying HTTPS as the scheme in the API YAML file, all the URIs in the served Swagger UI are HTTPS endpoints. The problem: The default server that runs is a “normal” HTTP server. This means that the Swagger UI cannot be used to play with the API. What is the correct way to start a HTTPS server when using Connexion?
One way, `described by Flask`_, looks like this:
from OpenSSL import SSL
context = SSL.Context(SSL.SSLv23_METHOD)
context.use_privatekey_file('yourserver.key')
context.use_certificate_file('yourserver.crt')
app.run(host='127.0.0.1', port='12344',
debug=False/True, ssl_context=context)
However, Connexion doesn’t provide an ssl_context parameter. This is
because Flask doesn’t, either–but it uses **kwargs
to send the
parameters to the underlying `werkzeug`_ server.