GCP Endpoint's using multiple authentication

Question

I have the following security schemes defined for a method in my swagger file:

...
    get:
      ...
      security:
      - api_key: []
      - firebase: []
securityDefinitions:
  api_key:
    in: query
    name: key
    type: apiKey
  firebase:
    authorizationUrl: ''
    flow: implicit
    type: oauth2
    x-google-audiences: project-id
    x-google-issuer: https://securetoken.google.com/project-id
    x-google-jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com

However, it will not work if I try to send a request using an api key, but it will if I use a firebase token (even if I do not provide the api key).

The response:

{
    "code": 16,
    "message": "JWT validation failed: Missing or invalid credentials",
    "details": [
        {
            "@type": "type.googleapis.com/google.rpc.DebugInfo",
            "stackEntries": [],
            "detail": "auth"
        }
    ]
}

If I remove firebase from the security definition, then it will work using the api key.

Is it a known issue that an api key security scheme will not work if there is also an oauth2 for the same method?

Answer 1

What happens is that "OR" security requirements are not supported when one of the alternatives is an API key. Therefore, you are experiencing the right behavior.

If you provide both alternatives the API key will be ignored, but if OAuth2 is removed and it only accepts the API key, it works.

According to the same documentation that I attached, you could require both authentication methods using an "AND" condition. Something like this:

...
security:
- api_key: []
  firebase: []
....