Use URI references for Security Requirements in 3.2 #3776
Assignees
Labels
enhancement
re-use: ref/id resolution
how $ref, operationId, or anything else is resolved
re-use: ref-everywhere
Requests to support referencing in more / all places
security: config
The mechanics of severs and structure of security-related objects
Milestone
Comments
handrews
added
enhancement
review
re-use: ref-everywhere
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Resolving component names used in referenced (as opposed to entry) documents is ambiguous, particularly in 3.1 where we advertise the ability to have a
components-only document to use as a shared component library. Historically, component names were resolved from the entry document, as reference targets were extracted from the document in which they were found without regard for the contents of the rest of the document.In 3.1, whole-document parsing is required to properly implement the Schema Object, and there is a reasonable intuition that component names should be resolved within the document in which they appear. This is at odds with the historical behavior, and one could argue that for Security Schemes in particular, it makes sense to treat them as part of the "deployment" aspect of things, which is arguably more relevant to the entry document.
For the Discriminator Object, the ambiguity can avoided by using the
mappingkeyword with unambiguous URI-references (meaning URI-references that are not syntactically valid as component names). There is no similar workaround for the Security Requirement Object.Adding a URI-reference mechanism for Security Requirements, whether by allowing
$refsomewhere, or just allowing URI-references as keys in place of the current component names, will make it possible to write unambiguous security requirements.The text was updated successfully, but these errors were encountered: