AbstractCompositeAuthenticationProvider filtering requests with all defined security schemas (only one should be enough)

[hbelmiro]

Discussed in https://github.com/quarkiverse/quarkus-openapi-generator/discussions/415

^{Originally posted by **ayhanap** July 21, 2023} Given an openapi spec with two security schemas and an operation with a security requirment object of those two schemas, quarkus-openapi-generator generates an `AbstractCompositeAuthenticationProvider`. The problem here is `AbstractCompositeAuthenticationProvider` tries to filter requests with all of these security schemas but all of these security schemas are not required, only one is enough. https://spec.openapis.org/oas/v3.1.0#security-requirement-object How can we specify which security schema to use? For instance, I want to use basicAuth but the request filter fails because it cannot find OIDC configs. I couldn't find an answer going through this repository. Here is a spec as an example. With security schema definitions below. ``` "securitySchemes": { "OAuth2": { "type": "oauth2", "description": "OAuth2 scopes for Jira", "flows": { "authorizationCode": { "authorizationUrl": "https://auth.atlassian.com/authorize", "tokenUrl": "https://auth.atlassian.com/oauth/token", "scopes": { .... } } } }, "basicAuth": { "type": "http", "description": "You can access this resource via basic auth.", "scheme": "basic" } } ``` And an operation with the below required security requirement object. ``` "/rest/api/3/dashboard/gadgets": { "get": { "tags": [ "Dashboards" ], "summary": "Get available gadgets", "description": "Gets a list of all available gadgets that can be added to all dashboards.\n\n**[Permissions](#permissions) required:** None.", "operationId": "getAllAvailableDashboardGadgets", "parameters": [], "responses": { ....} "deprecated": false, "security": [ { "basicAuth": [] }, { "OAuth2": [ "read:jira-work" ] } ], ```

[github-actions[bot]]

@ricardozanini @hbelmiro This is being labeled as Stale.