oauth and basic security are allowed to be used together.

[jsdevel]

The spec allows this, but I wonder in practice if this would ever be supported. I mean, would it be possible to merge www-authenticate headers in responses or read multiple Authorization headers in a request?

[jsdevel]

cc @MugeSo

[jsdevel]

For example:

"securityDefinitions": {
  "basicAuth": {
    "type": "basic"
  },
  "tokenAuth": {
    "type": "oauth2",
    ......
  }
},

"security": [
  {
    "basicAuth": [],
    "tokenAuth": ["user", "user:write"]
  }
]

[jsdevel]

I'm assuming this is possible because there really isn't a way to prevent this with json schema. So while it's technically possible to create this scenario according to the schema, in practice it should never happen. Is this correct?

[webron]

The spec just allows you to describe things. I don't think we should go into specific cases and start saying you can describe OAuth2 together with API Key but not Basic Authentication and some other case. It complicates the spec, it complicates validation, and it's not really a concern. Just because it allows you to describe things that may not be possible doesn't mean you should do it.

[jsdevel]

That's pretty much how I was thinking about it, but wanted to bring this up so others are aware. I'm working on an implementation for security and wanted to get an official clarification to before making oauth2 and basic mutually exclusive.

[webron]

Right, but I don't see a need to add that to the spec itself as a restriction. Other than marking it as a potential best practices documentation plan, there's not much else to be done.

[jsdevel]

Agreed! @MugeSo, based on this, I feel we can add a note in the README for express-openapi-security that states something to the affect that oauth2 and basic are mutually exclusive in practice but allowed by the spec.

[webron]

Parent: #589.