2

I'm developing validation against a swagger schema. I have a question regarding multiple authentications, imagine I have a security block

security:
 - header
 - cookie

Logic is like this - parse a user request, and put header/cookie inside some hashmap/dict V.

  • If a user has provided no header/cookie - return an error
  • If a user has provided the only header, add header value to V, V["header"] = request.header.value
  • If a user has provided the only cookie, add cookie value to V, V["cookie"] = request.cookie.value

But what should I do if a user has provided both cookie and header? Should I return an error (oneOf) or put the only header to the V variable (depends on the order of security) or put both header and cookie in the V or it depends on the application logic?

I have read https://swagger.io/docs/specification/authentication/, but it is still unclear to me.

How to change username
  • 270
  • 1
  • 11
  • Putting it as a comment as I am not 100% sure, but I'd say it depends on your application needs. The `OpenAPI` specification allows you to enforce an `AND` or an `OR` for authentication, but (as far as I know) leaves open whether to allow only 1 or more auth types internally. You could always return a `Bad Request` response. – Guillem Vicens Dec 09 '19 at 12:40
  • 1
    FYI this is being discussed in the OpenAPI Specification repository here: https://github.com/OAI/OpenAPI-Specification/issues/1698 – Helen Dec 10 '19 at 11:25
  • Related (or duplicate): [Swagger/OpenAPI multiple security requirements and side effects?](https://stackoverflow.com/q/42679595/113116) – Helen Dec 10 '19 at 11:26

0 Answers0