[REQ][Python] Python client Cookie authentication should be transparent
Created by: tomghyselinck
Is your feature request related to a problem? Please describe.
In summary: Cookie authentication is currently not "transparent" to the API user. We need to set the cookie ourselves once authenticated to the server.
- We use cookie authentication in an OpenApi 3.0 spec.
- We generate a Python client
- Perform a "login" operation on the REST API (using the
openapi_client.DefaultApi.login_post()call). - The REST server responds with a
Set-CookieHTTP header. - For successful authentication, the API user must now set the value of
openapi_client.ApiClient.cookiewith the value obtained from the "HTTP headers" returned byopenapi_client.DefaultApi.login_post_with_http_info()call.
See also an example in #2075 (closed) or in attachment: python-cookie-auth.zip
Generate Python client code using:
./python-cookie-auth.shDescribe the solution you'd like
When the REST API server returns a Set-Cookie HTTP header, the ApiClient should handle it properly:
- E.g.
'Set-Cookie': 'FULL_ACCESS_TOKEN=123; HttpOnly; Path=/; SameSite=Strict'should set theFULL_ACCESS_TOKENcookie - E.g.
'Set-Cookie': 'FULL_ACCESS_TOKEN=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'should unset theFULL_ACCESS_TOKENcookie
I suppose the openapi_client.ApiClient.__call_api (or any function it calls) should handle incoming Set-Cookie headers and update openapi_client.ApiClient.cookie value accordingly.
Considerations
When multiple cookie authentications are defined in the OpenAPI (3.0) description file, you should considered to extend the support to multiple cookies.
For example make openapi_client.ApiClient.cookie a dict of cookie names to values.
Secondly, the API server can also send cookies which are not used for authentication.
Those can either be filtered out if not useful or also added to the cookie dict and used just as is.
Describe alternatives you've considered
At this moment we set the openapi_client.ApiClient.cookie value once we received it.