From 9c0d2d5c9ff6cf2d132e831c43f27cd921a563a4 Mon Sep 17 00:00:00 2001
From: "Henry H. Andrews" <andrews_henry@yahoo.com>
Date: Sun, 19 May 2024 10:52:38 -0700
Subject: [PATCH] Allow URI-references for Security Requiements (3.2.0)

This allows Security Requirement Objects to reference
Security Scheme Objects by URI instead of implicit component name.
Without this ability, it is difficult to share Security Schemes
in a way that is consistent with re-usable component documents.

This approach provides parity with how the Discriminator Object's
`mapping` field works.
---
 versions/3.2.0.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/versions/3.2.0.md b/versions/3.2.0.md
index db139aa143..9b42539958 100644
--- a/versions/3.2.0.md
+++ b/versions/3.2.0.md
@@ -3558,7 +3558,9 @@ flows:
 #### <a name="securityRequirementObject"></a>Security Requirement Object
 
 Lists the required security schemes to execute this operation.
-The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#componentsSecuritySchemes) under the [Components Object](#componentsObject).
+The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#componentsSecuritySchemes) under the [Components Object](#componentsObject), or be the URI of a Security Scheme Object.
+Property names that match the syntax of a component name under the Components Object MUST be treated as a component name.
+To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`), use the `.` path segment (e.g. `./foo`).
 
 Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized.
 This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information.
@@ -3569,7 +3571,7 @@ When a list of Security Requirement Objects is defined on the [OpenAPI Object](#
 
 Field Pattern | Type | Description
 ---|:---:|---
-<a name="securityRequirementsName"></a>{name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#componentsSecuritySchemes) under the [Components Object](#componentsObject). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.
+<a name="securityRequirementsName"></a>{name} | [`string`] | Each name MUST correspond to a security scheme name or be a URI, as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.
 
 ##### Security Requirement Object Examples