Feature request from openapi 3: Allow apiKey in cookie

[t1bb4r]

The enum In from https://github.com/grpc-ecosystem/grpc-gateway/blob/master/protoc-gen-swagger/options/openapiv2.proto#L283 does not allow for an IN_COOKIE option:

  enum In {
    IN_INVALID = 0;
    IN_QUERY = 1;
    IN_HEADER = 2;
  }

It looks like they added it in openAPI 3: OAI/OpenAPI-Specification#1200

from the docs
'REQUIRED. The location of the API key. Valid values are "query", "header" or "cookie"'

I'd really love this feature as my current work around is to load in the generated swagger.json and then modify it with javascript

[johanbrandhorst]

Sounds reasonable to backport, though would we potentially break OpenAPI v2 parsers by allowing this option?

[t1bb4r]

This actually looks a lot more difficult than I initially thought, because the security structure changed in openapi 3.

What grpc-gateway currently produces is for openapi version 2:

{
  "securityDefinitions": {
    "cookie_session": {
      "type": "apiKey",
      "name": "session",
      "in": "query" // I thought it would be as easy as to change this to "cookie"
    }
  }
}

What openapi 3 expects is:

{
  "components": {
    "securitySchemes": {
      "cookie_session": {
        "type": "apiKey",
        "name": "session",
        "in": "cookie"
      }
    }
  }
}

Reference:
v2: https://swagger.io/docs/specification/2-0/authentication/api-keys/
v3: https://swagger.io/docs/specification/authentication/api-keys/

Warning: first time working with an openapi spec is with grpc-gateway so take everything I saw with a grain of salt.

[johanbrandhorst]

I don't think we can do this without full OpenAPI 3 support, so I'm closing this in favour of #441.