Skip to content

Model REST auth in OpenAPI as bearer security instead of an Authorization header parameter#3707

Draft
JerryNixon with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-openapi-specification-error
Draft

Model REST auth in OpenAPI as bearer security instead of an Authorization header parameter#3707
JerryNixon with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-openapi-specification-error

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Why make this change?

  • Swagger UI ignores operation-level Authorization header parameters, so DAB's generated OpenAPI showed an auth field that was not sent on Try it out.
  • The current document shape also omitted components.securitySchemes, which prevents Swagger UI from using the standard Authorize flow for bearer tokens. The issue reproduces with Azure AD + authenticated REST entities and appears in the generated Swagger UI as shown in the attached screenshot.

What is this change?

  • OpenAPI auth model

    • Stop emitting Authorization as an operation header parameter.
    • Emit a document-level bearer auth scheme when the auth provider is not Unauthenticated.
    • Add a document-level security requirement so Swagger UI uses the standard bearer token flow.
  • Operation parameters

    • Keep X-MS-API-ROLE as a normal operation header parameter.
    • Leave non-auth operation/query/path parameter generation unchanged.
  • Coverage

    • Update OpenAPI parameter assertions to verify Authorization is absent from operation headers.
    • Add focused tests for:
      • authenticated providers -> bearer security scheme present
      • unauthenticated provider -> no bearer security scheme
      • null auth config -> no bearer security scheme
      • X-MS-API-ROLE remains available as a header parameter
{
  "components": {
    "securitySchemes": {
      "BearerAuth": {
        "type": "http",
        "scheme": "bearer",
        "bearerFormat": "JWT"
      }
    }
  },
  "security": [
    { "BearerAuth": [] }
  ]
}

How was this tested?

  • Integration Tests
  • Unit Tests

Sample Request(s)

  • Swagger UI now uses Authorize for bearer tokens instead of rendering Authorization as an operation header parameter.
  • Example OpenAPI effect:
components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
security:
  - BearerAuth: []
  • Example request after authorizing in Swagger UI:
GET /api/BooksTable HTTP/1.1
Authorization: ******
X-MS-API-ROLE: authenticated

Copilot AI changed the title [WIP] Fix incorrect OpenAPI specification causing error in Swagger Model REST auth in OpenAPI as bearer security instead of an Authorization header parameter Jul 8, 2026
Copilot AI requested a review from JerryNixon July 8, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Incorrect OpenAPI Specifiaction causes error in Swagger

2 participants