ogen-go · schnell18 · Dec 25, 2025 · Dec 25, 2025
diff --git a/examples/ex_k8s/oas_security_gen.go b/examples/ex_k8s/oas_security_gen.go
diff --git a/examples/ex_oauth2/oas_security_gen.go b/examples/ex_oauth2/oas_security_gen.go
diff --git a/examples/ex_oauth2_scopes_and_or/oas_security_gen.go b/examples/ex_oauth2_scopes_and_or/oas_security_gen.go
diff --git a/examples/ex_oauth2_with_client_editors/oas_security_gen.go b/examples/ex_oauth2_with_client_editors/oas_security_gen.go
diff --git a/examples/ex_tinkoff/oas_security_gen.go b/examples/ex_tinkoff/oas_security_gen.go
diff --git a/gen/_template/security.tmpl b/gen/_template/security.tmpl
@@ -142,6 +142,72 @@ type SecuritySource interface {
 {{- end }}
 }
 
+{{ range $s := $.Securities }}
+
+{{- if not $.PathsServerEnabled }}
+{{if $s.Format.IsOAuth2Security}}
+// oauth2Scopes{{ $s.Type.Name }} is a private map storing OAuth2 scopes per operation.
+var oauth2Scopes{{ $s.Type.Name }} = map[string][]string {
+{{- else}}
+// operationRoles{{ $s.Type.Name }} is a private map storing roles per operation.
+var operationRoles{{ $s.Type.Name }} = map[string][]string {
+{{- end}}
+{{- range $operationName, $scopes := $s.Scopes }}
+	{{ $operationName }}Operation: []string{
+		{{- range $scope := $scopes }}
+			{{ quote $scope }},
+		{{- end}}
+	},
+{{- end }}
+}
+{{- end }}
+
+{{if $s.Format.IsOAuth2Security}}
+// GetOAuth2ScopesFor{{ $s.Type.Name }} returns the required OAuth2 scopes for the given operation.
+//
+// This is useful for token exchange scenarios where you need to know which scopes
+// to request when obtaining a token for a downstream API call.
+//
+// Example:
+//
+//	requiredScopes := GetOAuth2ScopesFor{{ $s.Type.Name }}(AddPetOperation)
+//	token := exchangeTokenWithScopes(requiredScopes, "https://api.example.com")
+//
+// Returns nil if the operation has no scope requirements or if the operation is unknown.
+func GetOAuth2ScopesFor{{ $s.Type.Name }}(operation string) []string {
+	scopes, ok := oauth2Scopes{{ $s.Type.Name }}[operation]
+	if !ok {
+		return nil
+	}
+	// Return a copy to prevent external modification
+	result := make([]string, len(scopes))
+	copy(result, scopes)
+	return result
+}
+{{- else}}
+// GetRolesFor{{ $s.Type.Name }} returns the required roles for the given operation.
+//
+// This is useful for authorization scenarios where you need to know which roles
+// are required for an operation.
+//
+// Example:
+//
+//	requiredRoles := GetRolesFor{{ $s.Type.Name }}(AddPetOperation)
+//
+// Returns nil if the operation has no role requirements or if the operation is unknown.
+func GetRolesFor{{ $s.Type.Name }}(operation string) []string {
+	roles, ok := operationRoles{{ $s.Type.Name }}[operation]
+	if !ok {
+		return nil
+	}
+	// Return a copy to prevent external modification
+	result := make([]string, len(roles))
+	copy(result, roles)
+	return result
+}
+{{- end}}
+{{- end }}
+
 {{- range $s := $.Securities }}
 func (s *Client) security{{ $s.Type.Name }}(ctx context.Context, operationName OperationName, req *http.Request) error {
 	{{- if $s.Format.IsCustomSecurity }}

diff --git a/internal/integration/sample_api/oas_security_gen.go b/internal/integration/sample_api/oas_security_gen.go
diff --git a/internal/integration/sample_api_no_otel/oas_security_gen.go b/internal/integration/sample_api_no_otel/oas_security_gen.go
diff --git a/internal/integration/sample_api_ns/oas_security_gen.go b/internal/integration/sample_api_ns/oas_security_gen.go
diff --git a/internal/integration/sample_api_nsnc/oas_interfaces_gen.go b/internal/integration/sample_api_nsnc/oas_interfaces_gen.go