Set OpenApiSecurityRequirement for JWT-bearer scenarioscs/openapi-spec-requirement

2 files changed, 38 insertions, 2 deletions

diff --git a/src/OpenApi/src/Microsoft.AspNetCore.OpenApi.csproj b/src/OpenApi/src/Microsoft.AspNetCore.OpenApi.csproj
index 34a81cb704..d7fcd23d3b 100644
--- a/src/OpenApi/src/Microsoft.AspNetCore.OpenApi.csproj
+++ b/src/OpenApi/src/Microsoft.AspNetCore.OpenApi.csproj
@@ -9,6 +9,7 @@
 
   <ItemGroup>
     <Reference Include="Microsoft.OpenApi" />
+    <Reference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <Reference Include="Microsoft.AspNetCore.Http.Abstractions" />
     <Reference Include="Microsoft.AspNetCore.Routing" />
     <Reference Include="Microsoft.AspNetCore.Mvc.Core" />
@@ -26,4 +27,4 @@
     <InternalsVisibleTo Include="Microsoft.AspNetCore.OpenApi.Tests" />
   </ItemGroup>
 
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/OpenApi/src/OpenApiGenerator.cs b/src/OpenApi/src/OpenApiGenerator.cs
index 454f3718ff..a8f77fe46c 100644
--- a/src/OpenApi/src/OpenApiGenerator.cs
+++ b/src/OpenApi/src/OpenApiGenerator.cs
@@ -6,6 +6,8 @@ using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Metadata;
 using Microsoft.AspNetCore.Mvc;
@@ -78,7 +80,8 @@ internal sealed class OpenApiGenerator
             Tags = GetOperationTags(methodInfo, metadata),
             Parameters = GetOpenApiParameters(methodInfo, metadata, pattern, disableInferredBody),
             RequestBody = GetOpenApiRequestBody(methodInfo, metadata, pattern),
-            Responses = GetOpenApiResponses(methodInfo, metadata)
+            Responses = GetOpenApiResponses(methodInfo, metadata),
+            Security = GetOpenApiSecurityRequirement(metadata)
         };
 
         static bool ShouldDisableInferredBody(string method)
@@ -93,6 +96,38 @@ internal sealed class OpenApiGenerator
         }
     }
 
+    private static IList<OpenApiSecurityRequirement> GetOpenApiSecurityRequirement(EndpointMetadataCollection metadata)
+    {
+        var authorizationMetadata = metadata.OfType<IAuthorizeData>();
+        var securityRequirements = new List<OpenApiSecurityRequirement>();
+        OpenApiSecurityScheme? scheme = null;
+        List<string> roles = new();
+        foreach (var authorizationItem in authorizationMetadata)
+        {
+            var applicableSchemes = authorizationItem.AuthenticationSchemes?.Split(",");
+            if (applicableSchemes?.Length > 0 && applicableSchemes.Contains(JwtBearerDefaults.AuthenticationScheme))
+            {
+                scheme = new OpenApiSecurityScheme()
+                {
+                    Reference = new()
+                    {
+                        Type = ReferenceType.SecurityScheme,
+                        Id = JwtBearerDefaults.AuthenticationScheme
+                    }
+                };
+            }
+            roles.AddRange(authorizationItem.Roles?.Split(','));
+        }
+        if (scheme is not null)
+        {
+            securityRequirements.Add(new() {
+                { scheme, roles }
+            });
+        }
+
+        return securityRequirements;
+    }
+
     private static OpenApiResponses GetOpenApiResponses(MethodInfo method, EndpointMetadataCollection metadata)
     {
         var responses = new OpenApiResponses();