Initial proposal for New Security Schemes

[whitlockjc]

This purpose of this proposal is to rethink how Security Schemes are defined in OpenAPI. This proposal would separate the credential location(s) from the Security Scheme type and would allow for complete control over dictating where the credential(s) are provided for a Security Scheme. This proposal will add a generic way to retrieve a credential from anywhere in a request, and allow any Security Scheme to dictate where its supported credential(s) are instead of relying on OpenAPI-supported conventions/opinions. This proposal also separates the credential location(s) details from the other configurations associated with the Security Scheme (like JWKS details for JWT).

[MikeRalphson]

Basically I feel this proposal is attempting to do several things (and gets caught up trying to be backwards compatible as well):

• allow (some) credentials in body and path
• allow JWTs with some type-specific config
• genericise credential locations and config

It's not clear to me why all these things are or need to be combined.

[MikeRalphson]

Unfortunately, the types supported by OpenAPI ... often tie the credential location to the Security Scheme type

Can you expand on why this is "unfortunate"? Type apiKey can already be located in any of query, header,cookie, and arguably if you try to put your Bearer token anywhere other than in an Authorization header, you are not doing oAuth2.

[whitlockjc]

The point was more about separating the credential location(s) from the Security Scheme type. API Key is the closest to allowing free-form credential locations while others do not. I can see where some Security Schemes where these are locked down, like OAuth 2.0 (while it uses Bearer Tokens, I don't think it supports them being in all locations a Bearer Token could be represented), but this separation is really a flexibility thing than just trying to support JWT.

[whitlockjc]

It would also be nice to have a way to describe a type not supported by OAS, where our locked-down types don't fit and a customer wants to still describe their security needs.

[MikeRalphson]

OpenAPI being so opinionated about these kinds things does not serve any real benefit to anyone involved

Unsure this is totally true. Tooling authors may appreciate the limited set of possibilities they have to support?

[whitlockjc]

It's subjective for sure but is focusing on the tooling authors more important than the consumers of OpenAPI? I think with a clean implementation, it shouldn't be too hard to support something like this as a fellow tooling author to another.

[MikeRalphson]

These multiple locations, are they AND or OR?

[whitlockjc]

I would suggest we do something like how the Security Requirements work now, which would allow for an AND or an OR. But in the case of having an AND of the same credential location, I can't think of a case where you'd say I want the same to credential to be supplied in multiple places at the same time.

[MikeRalphson]

Rather than express how to retrieve the credential using a regex, it may be more OAS-like to provide a template for how the credential should be constructed. Thus

format: ^[B|b][E|e][A|a][R|r][E|e][R|r] (.*)$

would become something like:

format: Bearer {credential}

PS: Header names are case-insensitive, but the "Bearer" string is not, so this regex can be simplified.

[whitlockjc]

I don't disagree. The main reason for using a regex example was to show how one might pick out a portion of a larger HTTP value, I'm not married to any specific implementation.

[MikeRalphson]

As a result of #2604 the filename for this proposal should change to use a dated prefix. Please could you update this PR to match? Apologies for the extra work.

[whitlockjc]

A few notes after presenting this to the Security SIG:

• I could see a case where the Credential Object might also allow for a credential property in place of a credentials property.
• I could see a case where OAS might have some pre-defined credential (or credential formats, like HTTP Auth)
• There may be a case where we might need to allow for more JWT claims described for the jwt Security Scheme (I know on the backend this could be useful but seeing as this isn't the intent, I am not sure there is a case for this but it came up in the meeting so we'll wait for examples.)

[kinlane]

I have republished @whitlockjc proposal within the security SIG, and copied the conversation thread from here over to an issue. We are going to work on the proposal over there in the security SIG repo, and when ready republish here as a formal proposal.

[ioggstream]

Added some preliminary notes.

[ioggstream]

if it's a regexp, I'd use pattern.

[whitlockjc]

I've dropped the ball on this, but since it's never been reasoned about, what should we do here?

[handrews]

Filed #3257 to revive and clarify our proposals process. Once we figure it out, we'll resolve this PR accordingly.

[darrelmiller]

Closing because the conversation is now happening in Moonwalk discussions OAI/sig-moonwalk#46