@jdegoes would you like to add some requirements?

I prefer to split the generic Authorization header codec into specific ones.

/bounty $100

💎 $100 bounty • ZIO

Steps to solve:

1. Start working: Comment /attempt #2592 with your implementation plan
2. Submit work: Create a pull request including /claim #2592 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to zio/zio-http!

Add a bounty • Share on socials

OpenAPI 3.1 allows for using scopes even on Non-OAuth2-Security Schemes (example).

It would be great if zio-http allowed declaration of scopes on any Authorization type, and generation of matching OpenAPI-specs. Declaring permissions as types or values and expressing that one of potentially multiple allowed ones is required for an Endpoint would be very useful, and could allow for thorough authorization-testing of APIs.

While authorization would typically be handled by middleware, OpenAPI-generation probably can't be modified by that. I think having a way to (optionally) express authorization requirements on header inputs that can be retrieved both for API specs but also e.g. tests, with middleware being responsible for augmenting "raw" header inputs with appropriate permissions (by reading OAuth-scopes from a bearer token, matching Basic Auth-Information against a database, ...), would be an awesome way to encode security requirements in a zio-http-API. Security should be a first-class citizen of an API, like any other input like a path or request body.

@hanneshauer I like that idea. 👍

/attempt #2592

💡 @mobley-trent submitted a pull request that claims the bounty. You can visit your bounty board to reward.