why openapi specification yaml generation forced to include basic security scheme ?

[shreeram09]

I was trying to generate a resource endpoint with bearer security scheme but the openapi specification yaml file generated with both basic and bearer schemes, it appears that basic security scheme is forced by default

environment specifications

• OS: windows 10 pro
• arch: x64
• JDK: 11
• Quarkus: 3.2.12.Final
• quarkus-smallrye-openapi

@Path("/api/v1/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@SecurityScheme(scheme = "bearer",securitySchemeName = "bearerScheme",type = SecuritySchemeType.HTTP)
public class GreetingResource {
    @GET
    @Path("hello")
    @SecurityRequirement(name = "bearerScheme")
    public String hello() {
        return "Hello from RESTEasy Reactive";
    }
 }

openapi generated

---
openapi: 3.0.3
info:
  title: openapi-demo API
  version: 1.0.0-SNAPSHOT
paths:
  /api/v1/hello:
    get:
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                type: string
      security:
      - bearerScheme: []
components:
  securitySchemes:
    SecurityScheme:
      type: http
      description: Authentication
      scheme: basic
    bearerScheme:
      type: http
      scheme: bearer

is this the expected behaviour? is there any workaround to have only a specific single security scheme ? or any way to not have any security scheme?

[phillip-kruger]

I think this was a know issue, and has been fixed. Please try with a later version of Quarkus

[shreeram09]

@phillip-kruger thanks for replying, I tried searching the relative fix in changelog/release/issue page but couldn't find one could you please share that issue id please , there is one microservice developed with above configuration and need some evidence to migrate same

[phillip-kruger]

You will find it somewhere in the Quarkus or SmallRye PR's. Can you confirm that upgrading to a later version fix your issue ?

[shreeram09]

found a workaround with properties based approach

1. disabled default basic security scheme with following property quarkus.smallrye-openapi.auto-add-security=false
2. set the following properties for bearer scheme

• quarkus.smallrye-openapi.security-scheme-name=bearerAuth
• quarkus.smallrye-openapi.security-scheme=jwt

this worked with

• Quarkus v3.2.12.Final & JDK(11,21)
• Quarkus v3.8.6 & JDK21
• Quarkus v3.14.1 & JDK21