Multiple Security Schemes in Security Requirement Object

[stevendearborn]

The specification sates that: " ...
Lists the required security schemes to execute this operation. The object can have multiple security schemes declared in it which are all required (that is, there is a logical AND between the schemes).
..."
I would like to specify that exactly one of multiple/any OAuth 2.0 flows can be used to authenticate the user, but the spec states that these are AND-ed, for example API-key and OAuth Authorization Code flow.
How can I define a security scheme that includes: authorization code, implicit and password OAuth flows - all three are fine, just pick one?

[webron]

It is a bit confusing, but anything that's defined in a Security Requirement indeed has an AND between them. However, when you actually assign Security Requirements to the operations, there's an OR between those. So define one Security Requirement for each flow, and then mention them all in the array for the security.

See https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#swaggerSecurity.

[stevendearborn]

Thanks. I specified multiple security schemes for an operation. A couple of things.

1. As you "Authenticate" each scheme and use the "Try It" function, the online Swagger editor correctly fills in the headers for you, especially the Authorization header as "Basic" or "Bearer" - this is a great assist/affordance!
2. The online Swagger editor does not give any error for multiple security schemes for an operation, however the references to the second, third, etc on the list do not get resolved, resulting in a not used warning.

[stevendearborn]

OK - so those were other errors - ignore that screen capture!

[stevendearborn]

I removed all the warnings I created. When using the online Swagger editor, just choose the authentication methods you wish to use for one or more given operations. It will automatically fill these in for you.
The only problem is that there is no easy way to clear a previously set Authentication if for example you want to test that all methods work.

[webron]

That sounds like a ticket for the swagger-editor project then ;)

[stevendearborn]

Thanks for your help.