Clarification about the meaning of an empty security array

[MathieuVeber]

Hi, while I was trying to implement the specification, I ran into some existential questions about security requirements!

It's unclear to me if an empty security array ([]) is equivalent to a security array with an empty object ([{}])... The spec doesn't even mention if it would be valid to have an empty security array at the OpenApi Object level and what would that mean...

• OpenAPI Object

A declaration of which security mechanisms can be used across the API. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement ({}) can be included in the array.

• Operation Object

A declaration of which security mechanisms can be used for this operation. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. To make security optional, an empty security requirement ({}) can be included in the array. This definition overrides any declared top-level security. To remove a top-level security declaration, an empty array can be used.

[handrews]

The empty object here is just a normal Security Requirement Object that doesn't have any entries. And therefore does not require any security requirements to be fulfilled. It does not have any special behavior - it is just the natural outcome of how the Security Requirement Object works that an empty object allows everything.

Since the OpenAPI Object and the Operation Object take arrays of Security Requirement Objects which are logically OR'd, an empty requirement list also allows everything.

You can stuff as many empty Security Requirement Objects into the array as you want, they still all get evaluated the same way, which means that [], [{}], and [{}, {}, {}, {}, {}] all behave the same. It's like adding multiple trues to an OR. true OR true OR true is still true.

[MathieuVeber]

Thanks for your explanation 💡

We thought for a moment that an empty security array [ ] meant that nothing is allowed whereas an empty security requirement object [{}] allowed everything 😅

@rvedotrc here is your answer

[rvedotrc]

Since the OpenAPI Object and the Operation Object take arrays of Security Requirement Objects which are logically OR'd, an empty requirement list also allows everything.

So you're saying logical-OR is defined for zero operands, and the result of that is "true", right?

I'm just checking because it seems like a fairly commonly accepted thing that if one defines "AND" or "OR" for zero operands, then the result is the opposite of what you just said.

For example, in Ruby, where "all" / "any" are analagous to "AND" / "OR":

irb(main):001:0> [].all?
=> true
irb(main):002:0> [].any?
=> false

or indeed in Javascript:

❯ node
Welcome to Node.js v22.5.1.
Type ".help" for more information.
> [].every(Boolean)
true
> [].some(Boolean)
false
>

If one is going to define AND/OR for zero operands, then conventionally one defines AND-of-nothing to be true, and OR-of-nothing to be false.

So, I'm just checking, because at the moment, it sounds like [] is a special case, rather than following the logic one might expect. Thoughts?

[handrews]

There seems to be a fair amount of debate on this in #3995, so let's not consider this resolved just yet.

[rafalkrupinski]

It's not about what's allowed, it's about what's required
'[]' - no security requirement
'[{}]' - a single 'allow anyone' security requirement

[rvedotrc]

The list [ ... ] is about what's allowed.

The object { ... } is about what's required.

[rafalkrupinski]

Isn't English funny?

The list [ ... ] is about what's allowed.

This way [] would mean nothing is allowed, which is not the case. It means that nothing is required.
One could say, it's a list of gate keepers. You can go thru either one, and if there's not gate keeper, you're free to enter, while [{}] is a gatekeeper with no requirement and witch lets anyone.

So yes, [] would be an equivalent of [{}]