Swagger v2: Security requirement interpretation: AND vs OR

[Willem Salembier]

I'm currently in a discussion with a product vendor on the correct interpretation of the security requirement element in Swagger v2. 

What's the correct interpretation of this security requirement defined globally? 

"security": [{"petstore_auth": ["write:pets","read:pets"]}]

"petstore_auth" is of type oauth2. According to the specification, I would say both scopes are required (logical AND) to invoke any resources in the API.

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject

If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.

"list of scope names required for the execution" is to be interpreted as *all* scopes required for the execution, correct?

Imagine, we would globally like to define that any of the scopes are required (we can always refine the scopes on resource level). I suppose the correct configuration in that case must be:

"security": [{"petstore_auth": ["write:pets"
]},{
"petstore_auth": ["read:pets"
]}
]

This is what I understand from the specification of "security": A declaration of which security schemes are applied for the API as a whole. The list of values describes alternative security schemes that can be used (that is, there is a logical OR between the security requirements). Individual operations can override this definition.

Thanks for your clarifications

[Ron Ratovsky]

Yup, it’d be a logical AND.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.