Merge pull request #12 from ritza-co/security-examples

security examples

Author: simplesagar

.gitignore

@@ -1,3 +1,4 @@
 generation/
 code/
 node_modules/
+.idea/

reference/security.md

@@ -1,12 +1,18 @@
 # Security
 
-The `security` section is a list of [Security Requirement Objects](/openapi/security#security-requirement-object) that apply to all operations in the API (if defined at the [document](/openapi#openapi-document-structure) level) or to a specific operation (if defined at the [operation](/openapi/paths/operations) level).
+When designing an API, it is important to consider the security requirements for accessing the API. OpenAPI 3.1 provides a way to define security requirements at both the document and operation levels.
 
-Operation-level security requirements override any security requirements defined at the document level.
+Security requirements are defined as a list of [Security Requirement Objects](/openapi/security#security-requirement-object) in the `security` section. Each object in the list represents a set of security requirements that must be satisfied to access the API.
+
+To add security to an API as a whole, the `security` keyword must be defined at the [document](/openapi#openapi-document-structure) level.
+
+Likewise, to add security to a specific operation, the `security` keyword must be defined at the [operation](/openapi/paths/operations) level.
+
+Security requirements defined at the operation level override the security requirements defined at the document level.
 
 If not provided at the document level, the default security requirements are assumed to be `[]`, an empty array, meaning no security is required to access the API.
 
-Example:
+The following example requires an API key to access the API:
 
 ```yaml
 security:
@@ -19,17 +25,39 @@ components:
       in: header
 ```
 
-The named security schemes referenced **_must_** be [Security Scheme Objects](/openapi/security/security-schemes) defined in the [Components Object](/openapi/components) under the `securitySchemes` field.
+In valid OpenAPI 3.1, the [Security Requirement Objects](/openapi/security#security-requirement-object) listed in `security` sections may only reference [Security Scheme Objects](/openapi/security/security-schemes) that are defined in the [Components Object](/openapi/components) under the `securitySchemes` field. In other words, the `security` section may not contain inline security schemes, and it may not contain security schemes that are not defined yet.
 
-Security can also be made optional by providing an empty object (`{}`) in the list of security requirements. For example:
+## Security Requirement Object
 
-```yaml
-security:
-  - apiKey: []
-  - {}
-```
+A Security Requirement Object defines a map of security scheme names to [scopes or roles](#security-requirement-scopes-or-roles) that are required to access the API. The names **_must_** match the names of [Security Scheme Objects](/openapi/security/security-schemes) defined in the [Components Object](/openapi/components) under the `securitySchemes` field.
+
+| Field                  |      Type      | Required | Description                                                                                                                                                                                                                                                                                                                                                  |
+| ---------------------- | :------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{securitySchemeName}` | List\<string\> |          | A list of [scopes or roles](#security-requirement-scopes-or-roles) required for the security scheme. If the security scheme type is `oauth2` or `openIdConnect`, this is a list of scope names required by the API consumer to be able to access or use the API. For any other type, this could contain a list of roles or similar required for the API consumer to obtain to authenticate with the API. |
+
+## Supported Security Schemes
+
+Before referencing a [Security Scheme](./security/security-schemes.md) as a requirement in the `security` section, it must be defined in the [Components Object](/openapi/components) under the `securitySchemes` field.
+
+OpenAPI 3.1 supports the following security schemes:
+
+- [API Key](./security/security-schemes/security-api-key.md)
+- [Basic HTTP](./security/security-schemes/security-basic.md)
+- [Bearer Token](./security/security-schemes/security-bearer.md)
+- [OAuth 2.0](./security/security-schemes/security-oauth2.md)
+- [OpenID Connect](./security/security-schemes/security-openid.md)
+- Digest
+- Mutual TLS
+
+## Expressing Security Requirements
 
-Security can also be disabled for a specific operation by providing an empty array (`[]`) in the list of security requirements. For example:
+The `security` keyword can be used in the following ways to express security requirements.
+
+### Disabling Security
+
+Security can be _disabled_ for a specific operation by providing an empty array (`[]`) in the list of security requirements.
+
+In this example, the `POST` operation in the `/auth` path does not require security:
 
 ```yaml
 paths:
@@ -38,30 +66,28 @@ paths:
       operationId: authenticate
       summary: Authenticate with the API
       security: [] # Disable security for this operation
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                username:
-                  type: string
-                password:
-                  type: string
-      responses:
-        "200":
-          description: The api key to use for authenticated endpoints
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  token:
-                    type: string
+      # ...
+```
+
+### Optional Security
+
+Security can also be made optional by providing an empty object (`{}`) in the list of security requirements.
+
+In this example, the API may be accessed with or without an API key:
+
+```yaml
+security:
+  - apiKey: []
+  - {}
 ```
 
-Security can be made completely optional for a specific operation by providing an empty object (`{}`) in the list of security requirements. For example:
+### Adding Optional Security to a Specific Operation
+
+Security can be made _optional_ for a specific operation by providing an empty object (`{}`) in the list of security requirements.
+
+This does not disable the security requirements defined at the document level, but makes them optional for this specific operation.
+
+In this example, the `GET` operation in the `/drinks` path _may_ be accessed with or without an API key, but if authenticated, the response will include additional information:
 
 ```yaml
 paths:
@@ -71,68 +97,66 @@ paths:
       summary: Get a list of drinks, if authenticated this will include stock levels and product codes otherwise it will only include public information
       security:
         - {} # Make security optional for this operation
-      responses:
-        "200":
-          description: A list of drinks
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: "#/components/schemas/Drink"
+      # ...
 ```
 
-The combination of different security requirements can be used to express complex authorization scenarios. For example:
+### Allowing a Choice of Security Schemes
+
+To allow users to choose between multiple different security requirements, define the `security` keyword as a list of [Security Requirement Objects](/openapi/security#security-requirement-object). The API consumer can choose one of the requirements to authenticate.
+
+In this example, the API may be accessed with an API key **OR** OAuth 2.0:
 
 ```yaml
 security: # apiKey OR oauth2 can be used
   - apiKey: []
   - oauth2:
       - read
       - write
-components:
-  securitySchemes:
-    apiKey:
-      type: apiKey
-      name: Authorization
-      in: header
-    oauth2:
-      type: oauth2
-      flows:
-        implicit:
-          authorizationUrl: https://speakeasy.bar/oauth2/authorize
-          scopes:
-            read: Read access to the API
-            write: Write access to the API
 ```
 
-The above example allows for the API to be accessed via an API Key **OR** OAuth2.0 with both the `read` and `write` scopes.
+### Requiring Multiple Security Schemes Together
+
+If multiple schemes are required together, then the [Security Requirement Object](/openapi/security#security-requirement-object) should be defined with multiple security schemes.
 
-If multiple schemes are required together, then the [Security Requirement Object](/openapi/security#security-requirement-object) can define multiple schemes. For example:
+In this example, both an API key **AND** basic auth are required to access the API:
 
 ```yaml
 security: # both apiKey AND basic is required
   - apiKey: []
     basic: []
-components:
-  securitySchemes:
-    apiKey:
-      type: apiKey
-      name: X-API-Key
-      in: header
-    basic:
-      type: http
-      scheme: basic
 ```
 
-The above example requires both an API Key **AND** basic auth to be provided.
+### Complex Authorization Scenarios
 
 This **AND**/**OR** logic along with optional (`{}`) security can be used in any combination to express complex authorization scenarios.
 
-## Security Requirement Object
+In this example, the API may be accessed with an API key **AND** OAuth 2.0 **OR** with basic authentication:
 
-A Security Requirement Object defines a map of security scheme names to scopes that are required to access the API. The names **_must_** match the names of [Security Scheme Objects](/openapi/security/security-schemes) defined in the [Components Object](/openapi/components) under the `securitySchemes` field.
+```yaml
+security: # apiKey AND oauth2 OR basic
+  - apiKey: []
+    oauth2:
+      - read
+      - write
+  - basic: []
+```
 
-| Field                  |      Type      | Required | Description                                                                                                                                                                                                                                                                                                                                                  |
-| ---------------------- | :------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `{securitySchemeName}` | List\<string\> |          | A list of scopes/roles required for the security scheme. If the security scheme type is `oauth2` or `openIdConnect`, this is a list of scope names required by the API consumer to be able to access or use the API. For any other type, this could contain a list of roles or similar required for the API consumer to obtain to authenticate with the API. |
+## Security Requirement Scopes or Roles
+
+When defining an OAuth 2.0 or OpenID Connect [Security Requirement Object](/openapi/security#security-requirement-object) for an operation, the `{securitySchemeName}` field should contain a list of scopes or roles required for the security scheme.
+
+For example, the following security requirement object requires the `read` and `write` scopes for the `oauth2` security scheme:
+
+```yaml
+paths:
+  /drinks:
+    get:
+      operationId: listDrinks
+      summary: Get a list of drinks
+      # Operation requires read and write scopes
+      security:
+        - oauth2:
+            - read
+            - write
+      # ...
+```