Incorrect default value for OpenApiSecurityScheme.In when using "http" type with "bearer" scheme

microsoft / OpenAPI.NET

The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model.

MIT License

1.39k stars 230 forks source link

Incorrect default value for OpenApiSecurityScheme.In when using "http" type with "bearer" scheme #1843

Open HavenDV opened 2 days ago

HavenDV commented 2 days ago

Describe the bug When defining an OpenApiSecurityScheme of type http with the scheme bearer, the default value for In is set to Query instead of Header. According to the OpenAPI Specification, header should be the implied default when the type is http and the scheme is bearer.

OpenApi File To Reproduce

openapi: 3.0.0
info:
  title: Minimal API
  version: 1.0.0
paths:
  /example:
    get:
      summary: Example endpoint
      security:
        - Bearer: []
      responses:
        '200':
          description: Successful response
components:
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

Expected behavior The default value for OpenApiSecurityScheme.In should be Header when the type is http and the scheme is bearer, aligning with the OpenAPI Specification’s default behavior.

Additional context This issue causes incorrect behavior when generating clients or code based on the OpenAPI definition, as the security token is expected to be sent as a query parameter instead of the Authorization header.

darrelmiller commented 12 hours ago

I am assuming you mean the In property rather than Location as there is no Location property.

However, the In property is only applicable to type equal to apiKey. It has no impact on type equal to http. When using the type http, the credentials are always sent in the Authorization header. This is stated explicitly in the description of the scheme field here https://spec.openapis.org/oas/v3.1.0.html#fixed-fields-22