NSwag's AspNetCoreOperationSecurityScopeProcessor marks all endpoints as requiring Authorization

Question

I have custom authorization scheme set up like this:

services.AddAuthentication("ClientApp")
                .AddScheme<ClientAppAuthenticationOptions, ClientAppAuthenticationHandler>("ClientApp", null);

Then I have the following NSwag OpenAPI document config:

services.AddOpenApiDocument((settings, provider) =>
            {
                settings.DocumentName = "openapi";
                settings.AddSecurity("ClientApp", Enumerable.Empty<string>(), new OpenApiSecurityScheme
                {
                    Type = OpenApiSecuritySchemeType.ApiKey,
                    Description = "Authentications used for client apps, such as Mmcc.Stats.TpsMonitor",
                    Name = "X-Auth-Token",
                    In = OpenApiSecurityApiKeyLocation.Header
                });

                settings.OperationProcessors.Add(
                    new AspNetCoreOperationSecurityScopeProcessor("ClientApp")
                );
                // ...
            }

I've decorated actions in my controllers with [AllowAnonymous] and [Authorize(AuthenticationSchemes = "ClientApp")], however NSwag marks all of my endpoints as requring the ClientApp authorization in the ReDoc UI with no regard for the decorators. Why?

Answer 1

I've fixed it by changing my code to this:

settings.DocumentProcessors.Add(
                    new SecurityDefinitionAppender("ClientApp",
                        new OpenApiSecurityScheme
                        {
                            Type = OpenApiSecuritySchemeType.ApiKey,
                            Description = "Authentications used for client apps, such as Mmcc.Stats.TpsMonitor",
                            Name = "X-Auth-Token",
                            In = OpenApiSecurityApiKeyLocation.Header
                        }));
                settings.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("ClientApp"));