Redocly / museum-openapi-example

An example OpenAPI description for an imaginary Museum API.
https://redocly.com/docs/resources/learning-openapi/
MIT License
40 stars 36 forks source link

Consider `oauth2` or `openIdConnect` authentication over HTTP `basic` auth #9

Open DavidBiesack opened 8 months ago

DavidBiesack commented 8 months ago

Thank you for offering a new example for OpenAPI!

It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure. I recommend revising the Museum OpenAPI example to use a more secure security scheme.

  1. use oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
  2. change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
  3. operations that require write access should not use the default security, but use an explicit operation-level security requirement with write or other scope.
adamaltman commented 7 months ago

It would be nice if we mocked this too.