I am implementing a code generator for Swagger/OpenAPI. However, I run into a problem implementing the security requirement. These requirements are defined as a list of objects. The list members are alternatives (or) and the object members are anded. For example:
[ { a:[], b:{} }, { c:{}, d:{} } ]
This supposed to result in (a && b) || ( c && d)
However, implementing this I run into the problem that the actual security requirements have side effects:
- OAuth2 - Must redirect if it fails
- Basic – Must send a HTTP 401 Unauthorized status and a WWW-Authenticate header
- ApiKey – whatever
However, since there is an or you cannot allow the first failure to set these side effects. It seems that you need to first try all combinations and then go back to the first and allow it to set the headers/result code?
Looking at the generators that are out there on http://editor.swagger.io/ I find most generators seem to ignore security and the Java generators seem to and the combined list. In my example I see a && b && c && d.
So my questions are:
- Is there a generator that properly implements OpenAPI security?
- How to handle these side effects?
