Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider oauth2 or openIdConnect authentication over HTTP basic auth #9

Open
DavidBiesack opened this issue Mar 31, 2024 · 1 comment
Open

Consider oauth2 or openIdConnect authentication over HTTP basic auth #9

DavidBiesack opened this issue Mar 31, 2024 · 1 comment
Labels
help wanted Extra attention is needed

Comments

@DavidBiesack
Copy link
Contributor

Thank you for offering a new example for OpenAPI!

It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure.
I recommend revising the Museum OpenAPI example to use a more secure security scheme.

  1. use oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
  2. change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
  3. operations that require write access should not use the default security, but use an explicit operation-level security requirement with write or other scope.
@lornajane lornajane added the help wanted Extra attention is needed label Apr 5, 2024
@adamaltman
Copy link
Member

It would be nice if we mocked this too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lornajane @DavidBiesack @adamaltman