You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: versions/3.1.1.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -322,11 +322,13 @@ This object MAY be extended with [Specification Extensions](#specification-exten
322
322
323
323
###### <a name="oas-security-field"></a>The `security` field
324
324
325
-
The `security` field describes how requests are authorized. If omitted, then requests are always authorized; otherwise, it is an array of security requirement objects, only one of which needs to be satisfied for the request to be authorized.
325
+
The `security` field describes how requests are authorized:
326
326
327
-
Because the empty [security requirement object](#security-requirement-object) `{}` will always authorize the request, it follows that `security: [{}]` means the same as omitting `security` entirely: namely, all requests are authorized.
327
+
- If omitted, then nothing can be inferred about the authorization requirements; the behaviour is implementation-defined.
328
+
- If present but empty (`security: []`), then the behaviour is undefined.
329
+
- Otherwise, it is an array of security requirement objects, only one of which needs to be satisfied for the request to be authorized.
328
330
329
-
If `security` is specified and empty (i.e. `security: []`), then the behaviour is undefined.
331
+
Because the empty [security requirement object](#security-requirement-object) `{}` will always be satisfied, any `security` list of Security Requirement Objects that includes `{}` will allow all requests. In particular, `security: [{}]` means that no security schemes are in use (also known as "no security").
330
332
331
333
Individual operations [can override this field](#operation-security).
332
334
@@ -3917,8 +3919,6 @@ This enables support for scenarios where multiple query parameters or HTTP heade
3917
3919
3918
3920
When a non-empty list of Security Requirement Objects is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object), only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request; see [the `security` field](#oas-security-field).
3919
3921
3920
-
The empty Security Requirement Object (`{}`) will always be satisifed, therefore any `security` list of Security Requirement Objects that includes `{}` will authorize all requests.
0 commit comments