OpenAPI Security Scheme: What is 'type' used for in Cookie auth?

Question

OpenAPI allows you to specify various security schemes for authentication and authorization: basic auth, OAuth 2.0, etc. Among them is the simple scheme of having a token or key send in a specific cookie header field: Cookie Authentication.

A cookie auth scheme can look like this according to the example on the Swagger page:

components:
  securitySchemes:
    cookieAuth:         # arbitrary name for the security scheme
      type: apiKey
      in: cookie
      name: JSESSIONID  # cookie name

I'm wondering about the used type attribute. According to the latest OAS 3.0.2 spec the type attribute is

a string
required
valid values are apiKey, http, oauth2, openIdConnect.

But can someone actually let me know what these different types actually mean? Is the idea here to just reuse the apiKey type, even if the key/token in question is no an actual API key?

score 2 · Accepted Answer · answered Oct 09 '19 at 12:58

2

Is the idea here to just reuse the apiKey type... ?

Yes.

The term "API key" is pretty generic and refers to "some kind of a token that identifies the consumer" - this includes authentication cookies.

answered Oct 09 '19 at 12:58

Helen

87,344
17
243
314

OpenAPI Security Scheme: What is 'type' used for in Cookie auth?

1 Answers1