Validate the api key 'in' attribute is cookie header or query.

[stefan521]

This is a valid API key definition.

components:
  securitySchemes:
    ApiKeyAuth:        # arbitrary name for the security scheme
      type: apiKey
      in: header       # can be "header", "query" or "cookie"
      name: X-API-KEY  # name of the header, query parameter or cookie

There already is validation that checks the in attribute is present. The purpose of this PR is to validate that the attribute value is one of "header", "query", or "cookie".

Swagger docs for reference.