Open egekorkan opened 3 years ago
mmccool
commented
3 years ago I agree, but it needs to be more than an editor's note, since it needs to appear in the final version of the specification. Since it relates to protocol, @egekorkan would you be willing to propose some suitable phrases? I need to look again at systems that I think use this to confirm we're doing the right thing here...
egekorkan
commented
3 years ago Sure, I would thus propose a new paragraph at section 8.1 that has the following text:
Some security schemes allow specifying body in the in parameter. When body is specified, all the TD forms that use this security scheme MUST support a communication protocol and its associated method that can use a body payload. E.g. an HTTP POST request can supply a payload and thus be used in a security scheme whose credentials are supplied in the body.
For the #1058 , there needs to be editor note explaining that if a body (containing security) needs to be supplied for all requests, than the protocol being used has to support this, i.e. supplying a payload for all requests. In the case of HTTP, this would mean using POST requests even for reading properties or breaking best practices by forcing GET requests to have payloads.