Skip to content

Commit 463b77f

Browse files
rvedotrcrvedotrc
committed
Clarify security (backport of #4007)
1 parent 57a9bc6 commit 463b77f

File tree

1 file changed

+19
-3
lines changed

1 file changed

+19
-3
lines changed

versions/3.0.4.md

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -249,12 +249,28 @@ This is the root object of the [OpenAPI document](#openapi-description).
249249
| <a name="oas-servers"></a>servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. |
250250
| <a name="oas-paths"></a>paths | [Paths Object](#paths-object) | **REQUIRED**. The available paths and operations for the API. |
251251
| <a name="oas-components"></a>components | [Components Object](#components-object) | An element to hold various schemas for the document. |
252-
| <a name="oas-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement (`{}`) can be included in the array. |
252+
| <a name="oas-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used across the API. See [The `security` Field](#the-security-field). |
253253
| <a name="oas-tags"></a>tags | [[Tag Object](#tag-object)] | A list of tags used by the document with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the [Operation Object](#operation-object) must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique. |
254254
| <a name="oas-external-docs"></a>externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation. |
255255

256256
This object MAY be extended with [Specification Extensions](#specification-extensions).
257257

258+
###### The `security` Field
259+
260+
The `security` field describes which authentication mechanisms may be expected to be relevant for this API. This field, however, does not _define_ how authentication / authorization works for this API. Think of it more as _setting expectations_.
261+
262+
`security` may be specified at the [OpenAPI Object](#openapi-object) level, or at the [Operation Object](#operation-object) level, or neither, or both. The effective value of `security` for a given operation is given by the first available of:
263+
264+
1. the `security` value given at the Operation level (if specified);
265+
2. the `security` value given at the OpenAPI Object level (if specified);
266+
3. the empty array (`[]`).
267+
268+
If the effective value of `security` is the empty array (`[]`), then nothing should be inferred about authentication / authorization for this API. Maybe credentials are required, maybe not; we just don't know.
269+
270+
Otherwise, `security` is a non-empty array of [Security Requirement Objects](#security-requirement-object), and it should be inferred that at least one of these needs to be satisfied for the request to be accepted.
271+
272+
Because the empty Security Requirement Object `{}` will always be satisfied, any `security` list that includes the empty object (`{}`) may be inferred to allow all requests. In particular, `security: [{}]` is the RECOMMENDED way of saying "this API (or operation) does not require authentication".
273+
258274
#### Info Object
259275

260276
The object provides metadata about the API.
@@ -897,7 +913,7 @@ Describes a single API operation on a path.
897913
| <a name="operation-responses"></a>responses | [Responses Object](#responses-object) | **REQUIRED**. The list of possible responses as they are returned from executing this operation. |
898914
| <a name="operation-callbacks"></a>callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a [Callback Object](#callback-object) that describes a request that may be initiated by the API provider and the expected responses. |
899915
| <a name="operation-deprecated"></a>deprecated | `boolean` | Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is `false`. |
900-
| <a name="operation-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used for this operation. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. To make security optional, an empty security requirement (`{}`) can be included in the array. This definition overrides any declared top-level [`security`](#oas-security). To remove a top-level security declaration, an empty array can be used. |
916+
| <a name="operation-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used for this operation. If present, then this overrides any `security` field specified at the [OpenAPI Object](#oas-security) level. See the [definition of that field](#the-security-field) for details. |
901917
| <a name="operation-servers"></a>servers | [[Server Object](#server-object)] | An alternative `servers` array to service this operation. If a `servers` array is specified at the [Path Item Object](#path-item-servers) or [OpenAPI Object](#oas-servers) level, it will be overridden by this value. |
902918

903919
This object MAY be extended with [Specification Extensions](#specification-extensions).
@@ -3717,7 +3733,7 @@ The name used for each property MUST correspond to a security scheme declared in
37173733
Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized.
37183734
This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information.
37193735

3720-
When a list of Security Requirement Objects is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object), only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.
3736+
When a non-empty list of Security Requirement Objects is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object), at least one of the Security Requirement Objects in the list needs to be satisfied for the request to be authorized; see [The `security` Field](#the-security-field).
37213737

37223738
##### Patterned Fields
37233739

0 commit comments

Comments
 (0)