Openapi-specification: Multiple security requirements at once, or neither

Created on 25 Aug 2016  路  2Comments  路  Source: OAI/OpenAPI-Specification

Say you have two types of authorization: oauth2 and apiKey. But when using apiKey authorization, you require two headers to be present. So you need to specify something like (A OR (B AND C)) in your security requirements. Is this possible?

The comments in #14 make reference to this, but I don't see a way to do it. This is needed, for example, if you want to support 3Scale's "Application Identifier and Key pairs" and "OAuth 2.0" patterns at the same time.

picture jacobweber

Most helpful comment

Yup, you can do that. Say you have 3 security requirements defined A for oauth2, B for apiKey 1, C for apiKey 2 (it's a header, let's face it), then your security would be defined as:

security: [
  { "A": [] },
  { "B": [], "C": [] }
]

Didn't add scopes for oauth2, but that's the general idea.

picture webron on 25 Aug 2016
👍3

All 2 comments

Yup, you can do that. Say you have 3 security requirements defined A for oauth2, B for apiKey 1, C for apiKey 2 (it's a header, let's face it), then your security would be defined as:

security: [
  { "A": [] },
  { "B": [], "C": [] }
]

Didn't add scopes for oauth2, but that's the general idea.

webron picture webron on 25 Aug 2016
👍3

Thanks, that's very helpful.

jacobweber picture jacobweber on 26 Aug 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jblazek picture jblazek  路  3Comments
muhmud picture muhmud  路  5Comments
Prasanthmv picture Prasanthmv  路  4Comments
john1452 picture john1452  路  5Comments
howshit picture howshit  路  4Comments