Optional scopes for required security scheme

[diogeneshamilton]

OAuth 2 doesn't have a restriction on scopes needing encompass a whole endpoint, so I'd like a way in Swagger to define an optional scope. For example, returning the user's email on the /users/{user_id} endpoint allows an optional access_email scope. I could create new security schemes for each combination, but that's pretty cumbersome, especially with 5-10 possible scope combinations.

[RobDolinMS]

@diogeneshamilton It looks like this issue hasn't been commented in a while. Is this still an issue?

[diogeneshamilton]

It looks to me like this is possible to document this type of behavior through multiple security scheme definitions, paired with multiple example responses, but unfortunately without it being more explicitly supported, there would not be a possibility of using tools like codegen to work with this type of security scheme.

At this point, the better solution is probably not to build an API with this functionality, if you're planning on using OpenAPI 🥇