Open johakoch opened 3 years ago
Can you clarify if this is a question or a feature request? If the former, no it's not currently possible. If the latter, do you have an actual API which uses an API key in a request body?
The question: Are there reasons against such a feature?
Regarding an actual API:
The OAuth2 token endpoint requires the client to authenticate via
client_id
:client_secret
, ORclient_id
AND client_secret
parameters in the POST
requestThis could be specified as
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
ClientIdPost:
type: apiKey
in: ???
name: client_id
ClientSecretPost:
type: apiKey
in: ???
name: client_id
paths:
"/token":
post:
security:
- BasicAuth: []
- ClientIdPost: []
ClientSecretPost: []
There is already an oauth2
securityScheme
type which encapsulates this logic, it's not necessary to use apiKey
types for this.
I understand the type oauth2
securityScheme to indicate that an API user has to get an access token from the OAuth2 server as specified by the type oauth2
securityScheme.
But this does not help if you want to describe the API of the OAuth2 server itself using OpenAPI.
But this does not help if you want to describe the API of the OAuth2 server itself using OpenAPI.
Though oAuth2 operates over HTTP and can be said to have an API, I wonder whether it is itself an "HTTP API" within the meaning of the phrase used by the OpenAPI Specification, and there whether it is in scope here.
The OAuth2 token endpoint was just an example. There could, of course, be more (and maybe more appropriate ones).
Now, why can I specify a security scheme for a query parameter, but not a parameter in an application/x-www-form-urlencoded
body?
My question, again: Are there reasons against such a feature? Is the answer to the question, that this security scheme would only apply to methods with defined message bodies, which would violate some (to me currently unknown) design principle for OpenAPI?
I would find this feature helpful. Mandrill is one example that expects the API key in a body parameter:
https://mandrillapp.com/api/docs/messages.curl.html#sts=/messages/search.json
@dylantack wrote: I would find this feature helpful. Mandrill is one example that expects the API key in a body parameter:
https://mandrillapp.com/api/docs/messages.curl.html#sts=/messages/search.json
My question was about an API key in an application/x-www-form-urlencoded
body. But, of course, it can be extended to other content-types, like application/json
as in the Mandrill example.
This seems related/ necessary for https://github.com/OAI/OpenAPI-Specification/issues/1875? Specifically the client authentication method using client_assertion
and client_assertion_type
are sent as a parameters in the body using application/x-www-form-urlencoded
To clarify, does this boil down to adding a new value for in
in the Security Scheme Object to indicate that the API Key is in the body? Which is assumed to be ...form-urlencoded
?
It is possible to define a security scheme as
corresponding to
while the first approach adds the notion that the required parameter is related to security.
However there seems to be no way to define a security scheme about a required parameter in an
application/x-www-form-urlencoded
body adding the same security notion.