| Q | A
| ----------------------------------- | -------
| Bug or feature request? | Bug
| Which Swagger/OpenAPI version? | 2.0
| Which Swagger-Editor version? | 3.2.4/g865148f1-dirty
| How did you install Swagger-Editor? | No, testing on https://editor.swagger.io/
| Which broswer & version? | Google Chrome 63.0.3239.132 64-bit
| Which operating system? | Windows 10
Sample test YAML is derived from the uber sample from OAI.
The only difference is I moved the list of "security" values out into a custom "x-common-scopes".
Syntax should be able to resolve the reference.

The editor flags this as an error and reports
security: { $ref: '#/x-common-scopes/scope-read' }
with error:
Schema error at paths['/products'].get.security
should be array
Jump to line 42
Due to the large permutations of of paths and operations in our actual swagger, we opted to group common scopes so that security properties can just reference existing scope groups instead of having to repeatedly define the same scopes manually in every security property.
security and securityDefinitions do not support $ref. There is a corresponding feature request in the OpenAPI Specification repository.
I should have searched there first. Thanks for pointing me in the right direction.
@radj A possible workaround is to use YAML anchors, but whether this will work depends on whether the tools processing your spec support YAML anchors. It works in Swagger Editor/UI, but I don't know about other tools.
Note that &anchors must be defined _before_ they are *-referenced.
swagger: '2.0'
info:
version: 0.0.0
title: test
securityDefinitions:
oauth2:
type: oauth2
flow: accessCode
authorizationUrl: https://auth.example.com/oauth/authorize
tokenUrl: https://auth.example.com/oauth/token
scopes:
read: read access
write: write access
admin: admin access
x-common-scopes:
read-write: &SCOPES_READ_WRITE # <----------------
- read
- write
all: &SCOPES_ALL # <----------------
- read
- write
- admin
paths:
/foo:
get:
security:
- oauth2: *SCOPES_READ_WRITE # <----------------
responses:
200:
description: OK
/bar:
get:
security:
- oauth2: *SCOPES_ALL # <----------------
responses:
200:
description: OK
Looks like what we need for now. Thank you so much for the suggestion!
It seems to even work at the security level. See AUTH_WITH_SCOPE.
swagger: '2.0'
info:
version: 0.0.0
title: test
securityDefinitions:
oauth2:
type: oauth2
flow: accessCode
authorizationUrl: https://auth.example.com/oauth/authorize
tokenUrl: https://auth.example.com/oauth/token
scopes:
read: read access
write: write access
admin: admin access
x-common-scopes:
auth_and_scope: &AUTH_WITH_SCOPE
- oauth2:
- read
read-write: &SCOPES_READ_WRITE # <----------------
- read
- write
all: &SCOPES_ALL # <----------------
- read
- write
- admin
paths:
/foo:
get:
security:
- oauth2: *SCOPES_READ_WRITE # <----------------
responses:
200:
description: OK
/bar:
get:
security: *AUTH_WITH_SCOPE
responses:
200:
description: OK