Re: Swagger v2: Security requirement interpretation: AND vs OR

Thu, 15 Feb 2018 10:48:27 -0800 

Yup, it’d be a logical AND.

 

 

 

From: <swagger-swaggersocket@googlegroups.com> on behalf of Willem Salembier 
<willem.salemb...@gmail.com>
Reply-To: "swagger-swaggersocket@googlegroups.com" 
<swagger-swaggersocket@googlegroups.com>
Date: Thursday, February 15, 2018 at 02:00
To: Swagger <swagger-swaggersocket@googlegroups.com>
Subject: Swagger v2: Security requirement interpretation: AND vs OR

 

I'm currently in a discussion with a product vendor on the correct 
interpretation of the security requirement element in Swagger v2. 

 

What's the correct interpretation of this security requirement defined 
globally? 

 

 

"security": [{"petstore_auth": ["write:pets","read:pets"]}]

 

 

"petstore_auth" is of type oauth2. According to the specification, I would say 
both scopes are required (logical AND) to invoke any resources in the API.

 

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject

If the security scheme is of type "oauth2", then the value is a list of scope 
names required for the execution. For other security scheme types, the array 
MUST be empty.

 

"list of scope names required for the execution" is to be interpreted as *all* 
scopes required for the execution, correct?

 

 

Imagine, we would globally like to define that any of the scopes are required 
(we can always refine the scopes on resource level). I suppose the correct 
configuration in that case must be:

 

 

"security": [{"petstore_auth": ["write:pets"
]},{
"petstore_auth": ["read:pets"
]}
]



This is what I understand from the specification of "security": A declaration 
of which security schemes are applied for the API as a whole. The list of 
values describes alternative security schemes that can be used (that is, there 
is a logical OR between the security requirements). Individual operations can 
override this definition.





Thanks for your clarifications

-- 
You received this message because you are subscribed to the Google Groups 
"Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to swagger-swaggersocket+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to swagger-swaggersocket+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to