I'm currently in a discussion with a product vendor on the correct interpretation of the security requirement element in Swagger v2.
What's the correct interpretation of this security requirement defined globally? "security": [{"petstore_auth": ["write:pets","read:pets"]}] "petstore_auth" is of type oauth2. According to the specification, I would say both scopes are required (logical AND) to invoke any resources in the API. https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject *If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.* "*list of scope names required for the execution*" is to be interpreted as *all* scopes required for the execution, correct? Imagine, we would globally like to define that any of the scopes are required (we can always refine the scopes on resource level). I suppose the correct configuration in that case must be: "security": [{"petstore_auth": ["write:pets" ]},{ "petstore_auth": ["read:pets" ]} ] This is what I understand from the specification of "security": *A declaration of which security schemes are applied for the API as a whole. The list of values describes alternative security schemes that can be used (that is, there is a logical OR between the security requirements). Individual operations can override this definition.* Thanks for your clarifications -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.