Allow optional anonymous access

[cmheazel]

#14
Issue 14 was closed with the understanding that the spec would be fixed to allow a null Security Requirement (indicating that anonymous is allowed). However, 3.0.1 still says that "Each name MUST correspond to a security scheme which is declared in the Security Schemes" which I take to mean that null is not allowed. I have a developer who needs this feature. I'm willing to make this fix in 3.1. Any objections?

[MikeRalphson]

@cmheazel an empty security requirement object doesn't have any names, so none of the names violate this constraint.

It looks like this

security: [
  {},
  ...
]

not like this:

security: [
  null,
  ...
]

What we need is clearer text or a specific example demonstrating this usage. As this is a clarification, not a change, it could go into a patch release, and there is still time to get it into 3.0.2 3.0.3.

[LasneF]

given https://spec.openapis.org/oas/latest.html#optional-oauth2-security , there is a sample mentionning
"Optional OAuth2 security as would be defined "
with the sample

{ "security": [ {}, { "petstore_auth": [ "write:pets", "read:pets" ] } ] }

with the mentionned of

" To make security optional, an empty security requirement ({}) can be included in the array."

i wonder if it would not be a better idea to add a dedicated security scheme type called "anonymous" , or 'public" that would avoid this {} and make it clearer ?

so either to close or to move it to 3.2 (or may be 3.3) or 4.0 (or 4.1)

[handrews]

@LasneF see also:

• Clarification about the meaning of an empty security array #3938
• Explicitly state what security: [] means #3995