Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove "Optional OAuth2 security" examples #3777

Open
AxelNennker opened this issue May 3, 2024 · 2 comments
Open

remove "Optional OAuth2 security" examples #3777

AxelNennker opened this issue May 3, 2024 · 2 comments
Labels
examples requests for more or better examples in the specification security

Comments

@AxelNennker
Copy link
Contributor

I wonder why these "Optional OAuth2 security" examples were created in the first place.

I agree that an API can have several options how the API client authenticates but having oauth2 security or alternatively none seems not a good security practice.

e.g. here https://github.com/OAI/OpenAPI-Specification/blob/v3.2.0-dev/versions/3.0.3.md#optional-oauth2-security

If the example was intended to show multiple alternative security requirements or the combination of an oauth2 security object with another non-oauth2 security object, then the second one should not be empty.
Maybe the API is migrating from apiKey to oauth2 and is deprecating api_key.

{
  "security": [
    {
      "api_key": []
    },
    {
      "petstore_auth": [
        "write:pets",
        "read:pets"
      ]
    }
  ]
}
@handrews handrews added security examples requests for more or better examples in the specification labels May 3, 2024
@miqui
Copy link
Contributor

miqui commented May 3, 2024

If the example was intended to show multiple alternative security requirements or combining an oauth2 security object with another non-oauth2 security object, then the second one should not be empty.
Maybe the API is migrating from apiKey to oauth2 and is deprecating api_key.

I can understand your interpretation of this example. However, while I do not recall the nature of the example what it wanted to convey originally, what if it the intent was to say "hey, the entire (or some resource of the ) API had no security, and now we can secure it with oauth2" and thus the two entries? I think really this example is not intended to convey an overall good practice but simply that you have a list of choices you can apply to all or some surfaces of the API. More mechanical than overall good security.

@AxelNennker
Copy link
Contributor Author

I can understand your interpretation of this example. However, while I do not recall the nature of the example what it wanted to convey originally, what if it the intent was to say "hey, the entire (or some resource of the ) API had no security, and now we can secure it with oauth2" and thus the two entries? I think really this example is not intended to convey an overall good practice but simply that you have a list of choices you can apply to all or some surfaces of the API. More mechanical than overall good security.

So, you are agreeing that "no security" is not a good choice when we want to show multiple security options, right?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
examples requests for more or better examples in the specification security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AxelNennker @handrews @miqui