OAI
Allow optional anonymous access
#14 Issue 14 was closed with the understanding that the spec would be fixed to allow a null Security Requirement (indicating that anonymous is allowed). However, 3.0.1 still says that "Each name MUST correspond to a security scheme which is declared in the Security Schemes" which I take to mean that null is not allowed. I have a developer who needs this feature. I'm willing to make this fix in 3.1. Any objections?
@cmheazel an empty security requirement object doesn't have any names, so none of the names violate this constraint.
It looks like this
security: [
{},
...
]
not like this:
security: [
null,
...
]
What we need is clearer text or a specific example demonstrating this usage. As this is a clarification, not a change, it could go into a patch release, and there is still time to get it into ~~3.0.2~~ 3.0.3.
given https://spec.openapis.org/oas/latest.html#optional-oauth2-security , there is a sample mentionning "Optional OAuth2 security as would be defined " with the sample
{ "security": [ {}, { "petstore_auth": [ "write:pets", "read:pets" ] } ] }
with the mentionned of
" To make security optional, an empty security requirement ({}) can be included in the array."
i wonder if it would not be a better idea to add a dedicated security scheme type called "anonymous" , or 'public" that would avoid this {} and make it clearer ?
so either to close or to move it to 3.2 (or may be 3.3) or 4.0 (or 4.1)
Per issue #3988, this was clarified in 3.0.4, 3.1.1, and 3.2.0, so I'm closing this.