-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly state what security: []
means
#3995
Explicitly state what security: []
means
#3995
Conversation
As @rvedotrc correctly points out
This would indicate that an empty array is not a synonym for an array containing an empty object, but rather "no way to authenticate here". On the other hand 3.1.0 states
I'd rather remove/undefine/nullify a top-level security declaration with |
Additional observations: https://spec.openapis.org/oas/latest.html#schema "In the following description, if a field is not explicitly REQUIRED or described with a MUST or SHALL, it can be considered OPTIONAL." In https://spec.openapis.org/oas/latest.html#fixed-fields , |
My guess: if |
@ralfhandl if it's this confusing, we might need to clarify in 3.0.4/3.1.1 (or at least acknowledge that the behavior is undefined). To me, this part:
means that empty arrays == there are no conditions to meet == there are no security checks. Why else would you remove existing checks entirely? And a |
AFAICT, the word and/or perhaps Also, if present-but-null is allowed, then is that different from being absent? How about in the I detect a can of worms. :-/ |
To summarise what we've got so far, from my point of view: Optionality:
The
|
I fully agree with @rvedotrc that this looks like a can of worms 🪱 😢. Current text for
|
So ... should I update the PR contents so as to explain that |
In my humble opinion: yes. Let's wait for others to state their opinion, here or in one of the next TDC calls. @rvedotrc do you want to dial in? The discussion is open for everyone. |
1600 UTC, right? Sure :-) |
Correct, 18:00-19:00 CEST 😁 |
For what its worth:
and its override use cases at both the root or operation level. My humble interpretation of I rather not go down the nullish rabbit hole unless we feel IT IS ABSOLUTELY necessary for both humans and code. |
We have three cases to consider:
Only the third case is explicitly mentioned in the specs:
I would not assume that 1 and 2 are synonyms of 3. |
Things we do agree on (from TDC):
The correct behaviour for an empty array is unclear. We think it is widely used to mean that there's no security applied ("allow all") - but logically it means that there are no security rules that can be fulfilled to permit access. We do need to update wording to explain that the empty security array is ambiguous in the current spec versions. |
I did some digging, and found that @webron added the "To remove a top-level security declaration, an empty array can be used." in this Swagger/OAS 2.0 commit. I have not been able to find any further information on whether "remove" meant "default back to deny-all" or "default back to allow-all". Since this is 2.0, which was initially developed within Swagger, I checked their site but was unable to find any further information on Arguably, since this language was added pre-OpenAPI, it would be valid to look at how Swagger handles an empty array for insight into the original intent. I normally dislike using Swagger as a reference point as OpenAPI is long since a distinct entity, but this has not changed since it was added for 2.0. I do think that the fact that |
Changed to draft: needs to be merged after #4035 as it changes contents of table cells and will conflict with our markdown cleanup. |
In today's TDC we agreed to re-try this based on @mikekistler 's "open world" view, so closing these three attempts. @rvedotrc thank you for your contributions here- it is far from the first topic where we've had to go through multiple approaches, attempts, and PRs. Regardless of who writes the final PR, this has helped us immensely in figuring the problem out. |
It's currently not clear from the spec what
security: []
means. It's stated that it's allowed, but it doesn't say what it does. Obvious guesses are that it either authorizes everything, or that it authorizes nothing; but it's not stated which.As per #3938, I'm told that the answer is "authorize everything"; so this PR seeks to make that explicit.
On the other hand, if that answer is incorrect, please let me know what
[]
in fact means, and I'll see if I can update this PR accordingly.See also: #3994