maisarissi
commented
10 hours ago It seems to me those two statements are contradicting each other. Let's take an example if we have security schemes A and B defined the the component section. And an Operation that references both.
Does the request need to satisfy A AND B (first statement) or A OR B (second statement) ?
I would say, depends on how the OpenAPI was specified. My understand was:
- A AND B
paths: /example: get: summary: Example endpoint description: This endpoint demonstrates the use of multiple OAuth2 flows. responses: '200': description: Successful response content: application/json: schema: type: object properties: message: type: string example: Hello, world! security: - OAuth2: - read ApiKeyAuth: []
A OR B:
paths:
/example:
get:
summary: Example endpoint
description: This endpoint demonstrates the use of multiple OAuth2 flows.
responses:
'200':
description: Successful response
content:
application/json:
schema:
type: object
properties:
message:
type: string
example: Hello, world!
security:
- OAuth2:
- read
- ApiKeyAuth: [] ##here is the differencePer what I could understand, the latter is saying we can use OAuth2 OR ApiKey, as opposite to the former, which requires both.
darrelmiller
baywet
Hi everyone,
Recently re-read the security requirements part of the spec which currently has this text:
It seems to me those two statements are contradicting each other. Let's take an example if we have security schemes A and B defined the the component section. And an Operation that references both.
Does the request need to satisfy A AND B (first statement) or A OR B (second statement) ?
4082 doesn't seem to change anything with that as of this writing.
And it seems we've had many questions about that in the past: #3236 #1216 #771 and many more.
From reading other issues I believe what's meant here is that "first level entries are OR, nested entries are AND", for lack of better wording.
I thought that since we're close to a patch release, we might take the chance to clean this one up as well.