Scopes, Roles and Permissions

Is there a way to document the OAuth2 scopes each operation requires in OpenApi?

In other words, can we reflect in the swagger what [RequiresAnyRole("ascope)] defines on the operation?

The easiest way is to add them to the description of the Service, otherwise there’s a security collection on OpenApiOperation you could populate using one of the OpenApiFeature filters which is how Open API suggests to populate them along with a custom security definition you can populate on OpenApiFeature.SecurityDefinitions

OK, thanks
Understood what is needed by OpenAPI.
Also, understand that we can use the OpenApiFeature.OperationFilter to populate the OpenpiOperation.Security collection with our scopes/roles/permissions for each operation.

The piece I am now missing, is how to read the information from attributes like [RequiresAnyRole], [RequiresAnyPermsission] on each operation, and populate the OpenApiOperation in a repeatable way.

Can you see a way that I can write code in the OpenApiFeature.OperationFilter that can read/reflect over the attributes like [RequiresAnyPermsission] from the specific service operation?
(I think what I am missing is for some way to get to the DTO or the Operation from within the OpenpiOperation.Security filter.

You get the metadata on Services from HostContext.Metadata, e.g. you can retrieve each operation from HostContext.Metadata.Operations where each Operation contains the following metadata about each Service:

If you need to, you can lookup the operation by Request Type:

var op = Metadata.GetOperation(requestDtoType);