`securitySchemeName` not working for applications with external authentication

[SHildebrandt]

It seems that the securitySchemeName on a specific route is only applied when the route is authenticated in Ktor. However, in our context the Ktor application itself is unauthenticated, but is behind a gateway which performs the authentication (this may even be route-specific, so some routes may be authenticated, others may be unauthenticated).

I see that you're also using RouteMeta.isProtected for deciding whether to add the defaultUnauthorizedResponse -- that might be a similarly problematic case.

Maybe it would be possible to give a hint, that the route is protected externally? I'm open to implement it myself and create a PR, but I'm not sure where the preferred place would be to put that information. The OpenApiRoute might be a good place, but so far it only contains stuff which is really OpenAPI-specific and does not have such "meta-information".

[SMILEY4]

I think adding some flag to overwrite the default behaviour regarding protected routes would be a great idea. Imho, adding it to OpenApiRoute isnt't an issue and is probably the best place to put it - i think it even contains some meta-information already and im not trying to model the exactly structure of the openapi-spec anyway.