Is your feature request related to a problem?
OAuth2BearerTokenAuthentication and JWTCookieAuthentication are in the global DEFAULT_AUTHENTICATION_CLASSES, so every authenticated endpoint accepts an OAuth2 bearer token and a JWT session cookie. Neither appears in the generated OpenAPI schema.
The reason is that drf-spectacular can only render an authenticator it has an OpenApiAuthenticationExtension for. We register extensions for the environment key and master API key, and the built-in token/basic auth resolve on their own, but there is none for OAuth2BearerTokenAuthentication or JWTCookieAuthentication. drf-spectacular warns and drops them at generation time:
Warning [WebhookViewSet]: could not resolve authenticator
<class 'oauth2_metadata.authentication.OAuth2BearerTokenAuthentication'>.
There was no OpenApiAuthenticationExtension registered for that class. Ignoring for now.
So the committed openapi.yaml under-documents auth: consumers can't see that OAuth2 auth is accepted, and the generation logs are noisy.
Describe the solution you'd like.
Register an OpenApiAuthenticationExtension for OAuth2BearerTokenAuthentication (emitting an oauth2 scheme with the authorisation-code flow — authorisation/token URLs and scopes derived from settings) and one for JWTCookieAuthentication, mirroring the existing EnvironmentKeyAuthenticationExtension / MasterAPIKeyAuthenticationExtension. The schema then documents these globally-accepted methods and the resolution warnings disappear.
Describe alternatives you've considered
Leaving it as-is: the schema stays incomplete for OAuth2/cookie auth and the warnings persist. Documenting the schemes by hand risks drift from the real authenticator configuration.
Additional context
N/A
Is your feature request related to a problem?
OAuth2BearerTokenAuthenticationandJWTCookieAuthenticationare in the globalDEFAULT_AUTHENTICATION_CLASSES, so every authenticated endpoint accepts an OAuth2 bearer token and a JWT session cookie. Neither appears in the generated OpenAPI schema.The reason is that drf-spectacular can only render an authenticator it has an
OpenApiAuthenticationExtensionfor. We register extensions for the environment key and master API key, and the built-in token/basic auth resolve on their own, but there is none forOAuth2BearerTokenAuthenticationorJWTCookieAuthentication. drf-spectacular warns and drops them at generation time:So the committed
openapi.yamlunder-documents auth: consumers can't see that OAuth2 auth is accepted, and the generation logs are noisy.Describe the solution you'd like.
Register an
OpenApiAuthenticationExtensionforOAuth2BearerTokenAuthentication(emitting anoauth2scheme with the authorisation-code flow — authorisation/token URLs and scopes derived from settings) and one forJWTCookieAuthentication, mirroring the existingEnvironmentKeyAuthenticationExtension/MasterAPIKeyAuthenticationExtension. The schema then documents these globally-accepted methods and the resolution warnings disappear.Describe alternatives you've considered
Leaving it as-is: the schema stays incomplete for OAuth2/cookie auth and the warnings persist. Documenting the schemes by hand risks drift from the real authenticator configuration.
Additional context
N/A