Template paths in security schemas

[pavelkornev]

There is a long standing issue — OAI/OpenAPI-Specification#551 (duplicates: https://github.com/OAI/OpenAPI-Specification/issues/1339, OAI/OpenAPI-Specification#2322)

99% of APIs at SAP, which use OAS to document APIs, have to parametrize security URLs like tokenUrl or authorizationUrl. According the the issue above, we are not a single organization who would benefit of this.

The original proposal from the community would work seamlessly for us and seems to be reasonable:

  securitySchemes:
    keycloak:
      type: oauth2
      description: This API uses OAuth 2
      flows:
        clientCredentials:
          tokenUrl: {protocol}://{server}:{port}/auth/realms/{realm}/protocol/openid-connect/token
          variables:
            protocol:
              enum:
                - 'http'
                - 'https'
              default: 'http'
            server:
              default: 'keycloak.company.com'
            port:
              enum:
                - '80'
                - '443'
              default: '80'
            realm:
              default: 'myTenant'              
          scopes: {}

Currently, we use some workarounds to define such URL fragments (variables), it would be great to get rid of them in favor of standardization. Would it be possible to consider extending the OpenAPI Specification v4 in this direction?

[MikeRalphson]

Possibly we could replace the server and tokenUrl / authorizationUrl variables with a schema (as per the suggestion for parameters) and I guess we would allow full URI templates in these URLs.