Add security to the components object

[djpadz]

Consider this snippet:

components:
  securitySchemes:
    jwt:
      type: apiKey
      in: cookie
      name: JWT_TOKEN
    apiToken:
      type: http
      scheme: bearer
    httpBasic:
      type: http
      scheme: basic

If I want a set of requests to support each of these authentication methods in turn, I would have to add something like:

    security:
    - jwt: []
    - apiToken: []
    - httpBasic: []

...to each one. It would be far easier if the components object supported a security section, something like this:

components:
  security:
    myAuths:
    - jwt: []
    - apiToken: []
    - httpBasic: []

...so that requests could just include:

    security:
      $ref: '#/components/security/myAuths'

[darrelmiller]

You could define the security constraints in the root object and then override it on a per operation basis where necessary.

[djpadz]

True, but the components object includes most of the other bits. Might as well include security.

[darrelmiller]

@djpadz Yes, but most other components don't have top level objects that apply globally. Having an API where the security schemes vary significantly across the API doesn't seem like desirable behavior. Having an anonymous API with some specific operation auth'd seems normal, or the opposite where it is secured but with some anonymous exceptions seems normal.

Can you tell us more about your use case where you want to vary the types of auth allowed across your API? Our concern is about adding unnecessary complexity.

[djpadz]

In my particular use case, adding the security definition to the top level would work. The thought was more about allowing components to include anything that would go into a request, as opposed to selected things.

[handrews]

Consolidating under #3853 and closing