I'm currently in a discussion with a product vendor on the correct
interpretation of the security requirement element in Swagger v2.
What's the correct interpretation of this security requirement defined
globally?
"security": [{"petstore_auth": ["write:pets","read:pets"]}]
"petstore_auth" is of type oauth2. According to the specification, I would
say both scopes are required (logical AND) to invoke any resources in the
API.
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject
*If the security scheme is of type "oauth2", then the value is a list of
scope names required for the execution. For other security scheme types,
the array MUST be empty.*
"*list of scope names required for the execution*" is to be interpreted as
*all* scopes required for the execution, correct?
Imagine, we would globally like to define that any of the scopes are
required (we can always refine the scopes on resource level). I suppose the
correct configuration in that case must be:
"security": [{"petstore_auth": ["write:pets"
]},{
"petstore_auth": ["read:pets"
]}
]
This is what I understand from the specification of "security": *A
declaration of which security schemes are applied for the API as a whole.
The list of values describes alternative security schemes that can be used
(that is, there is a logical OR between the security requirements).
Individual operations can override this definition.*
Thanks for your clarifications
--
You received this message because you are subscribed to the Google Groups
"Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to swagger-swaggersocket+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
