[BUG][JAVA][JERSEY][CLIENT] (Auth parameter) API key is no longer added to query after version 4.3.1 (5.x+)

[DisasterMo]

Bug Report Checklist

• Have you provided a full/minimal spec to reproduce the issue?
• Have you validated the input using an OpenAPI validator (example)?
• Have you tested with the latest master to confirm the issue still exists?
• Have you searched for related issues/PRs?
• What's the actual output vs expected output?
• [Optional] Sponsorship to speed up the bug fix or feature request (example)

Description

I am trying to upgrade my project and its dependencies (from JDK 8 to JDK 21). However, when upgrading the openapi-generator-maven-plugin (currently 4.0.0) to any version 5 and above, the authentication with my web service fails.

I have tracked the issue down to the ApiClient's invokeApi method, which used to run updateParamsForAuth to update the parameter lists as its first statement, but in newer versions it runs after queryParams and cookieParams have already been processed and thus any new values added to those lists are ignored. So the API key, which my WS expects to receive in the query, is not added.

How does one use apiKey auth parameters in query now?

openapi-generator version

5.0.0 and higher

OpenAPI declaration file content or url

I hope this is enough of an example.

{
  "openapi": "3.0.1",
  "info": {
    "title": "MyWS",
    "version": "v1"
  },
  "servers": [
    {
      "url": "https://mine.site.my/myWS"
    }
  ],
  "components": {
    "schemas": {
      "Value": {
        "type": "object",
        "required": [
          "target",
          "type",
          "value"
        ],
        "properties": {
          "target": {
            "type": "string",
            "description": "ID of target"
          },
          "type": {
            "type": "string",
            "description": "what to update"
          },
          "value": {
            "type": "string",
            "description": "new value"
          }
        },
        "additionalProperties": false,
        "description": "Model for an update value"
      }
    },
    "securitySchemes": {
      "api_key": {
        "type": "apiKey",
        "name": "api_key",
        "in": "query"
      }
    }
  },
  "paths": {
    "/update": {
      "put": {
        "tags": [
          "Update"
        ],
        "operationId": "Update",
        "requestBody": {
          "description": "",
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/Value"
              }
            }
          }
        },
        "responses": {
          "204": {
            "description": "the update was successfull"
          }
        },
        "security": [
          {
            "api_key": [
              "ApiKeyPls"
            ]
          }
        ]
      }
    }
  }
}

Generation Details

My openapi-generator-maven-plugin configuration:

<plugin>
    <groupId>org.openapitools</groupId>
    <artifactId>openapi-generator-maven-plugin</artifactId>
    <version>7.8.0</version>
    <executions>
        <execution>
            <goals>
                <goal>generate</goal>
            </goals>
            <configuration>
                <inputSpec>${project.basedir}/src/swagger/update.json</inputSpec>
                <generatorName>java</generatorName>
                <modelPackage>my.updatews</modelPackage>
                <apiPackage>my.updatews</apiPackage>
                <invokerPackage>my.updatews</invokerPackage>
                <generateApiDocumentation>false</generateApiDocumentation>
                <generateModelDocumentation>false</generateModelDocumentation>
                <generateApiTests>false</generateApiTests>
                <generateModelTests>false</generateModelTests>
                <configOptions>
                    <sourceFolder>.</sourceFolder>
                    <dateLibrary>java8</dateLibrary>
                    <useJakartaEe>true</useJakartaEe>
                </configOptions>
                <library>jersey3</library>
            </configuration>
        </execution>
    </executions>
</plugin>

This should be (largely) equivalent to:

java -jar .\openapi-generator.jar -g java --library jersey3 -i update.json

Steps to reproduce

Well, code wise:

ApiClient client = new ApiClient();
client.setApiKey(myCredentials.getApiKey());
client.setBasePath(wsBasepath);
UpdateApi api = new UpdateApi(client);
ApiResponse<Void> response = api.updateWithHttpInfo(new Value().target(theTarget).type(theType).value(theValue));

Where UpdateApi.updateWithHttpInfo is generated as:

public ApiResponse<Void> updateWithHttpInfo(Value value) throws ApiException {
  String localVarAccept = apiClient.selectHeaderAccept();
  String localVarContentType = apiClient.selectHeaderContentType("application/json");
  String[] localVarAuthNames = new String[] {"api_key"};
  return apiClient.invokeAPI("UpdateApi.update", "/update", "PUT", new ArrayList<>(), value,
                             new LinkedHashMap<>(), new LinkedHashMap<>(), new LinkedHashMap<>(), localVarAccept, localVarContentType,
                             localVarAuthNames, null, false);
}

Before 5.0.0, apiClient.invokeAPI would create the correct query https://mine.site.my/myWS/update?api_key={myKey} before invoking it. From version 5.0.0 onwards, the issue described above occurs: the queryParams are processed, before being updated.

Related issues/PRs

Don't know, I couldn't find any.

Suggest a fix

I don't even know if this is a bug, or intended, since it apparently has been like this for some time now.

[jbrugge]

I'm noticing this same thing with the okhttp-gson library, and the git history of its ApiClient.mustache looks like this change happened as part of #10858 which was part of the 5.3.1 release. And what is strange is that the rationale for that change was said to be the need to have more parameters to be able to pass to Authentication.applyToParams, and yet there isn't evidence in that PR that the extra parameters (payload, method, uri) are ever used by any implementation of Authentication.

[wing328]

@jbrugge thanks for providing more details.

can you please share your spec to start with? we will then take another look at the issue

[jbrugge]

@wing328 Sure, here is the Swagger 2 spec set of files,
BookshareSpec.zip

As some context, we are moving from using swagger-codegen for a Java API client to openapi-generator as a first step before converting the spec to OpenAPI 3. At the moment I'm trying to get parity in the client with what we've gotten from swagger-codegen, and this issue is the latest hurdle.

[wing328]

thanks for the info.

I assume you've tried the latest version v7.9.0 and it still doesn't work for you, right?

if you're using jersey2/3, can you please also try okhttp-gson library as well?

[jbrugge]

I had been using 7.8.0 with the okhttp-gson library but perhaps I had some other configuration off. I tried it again with the 7.9.0 release, and this does appear to have been fixed by #19334. Thanks!

[wing328]

thanks for confirming.

closing this. happy to reopen if needed