Open HavenDV opened 2 days ago
I am assuming you mean the In
property rather than Location
as there is no Location property.
However, the In
property is only applicable to type
equal to apiKey
. It has no impact on type
equal to http
. When using the type
http
, the credentials are always sent in the Authorization
header. This is stated explicitly in the description of the scheme
field here https://spec.openapis.org/oas/v3.1.0.html#fixed-fields-22
Describe the bug When defining an OpenApiSecurityScheme of type http with the scheme bearer, the default value for In is set to Query instead of Header. According to the OpenAPI Specification, header should be the implied default when the type is http and the scheme is bearer.
OpenApi File To Reproduce
Expected behavior The default value for OpenApiSecurityScheme.In should be Header when the type is http and the scheme is bearer, aligning with the OpenAPI Specification’s default behavior.
Additional context This issue causes incorrect behavior when generating clients or code based on the OpenAPI definition, as the security token is expected to be sent as a query parameter instead of the Authorization header.