Support for Proxy-Authorization in http security scheme

[SakerGT]

Hi - the OpenAPI 3.0.3 specification implies here that for the http security scheme only Authorization header from RFC7235 may be used to supply credentials, such as a bearer token. Would it be at all possible to include support for Proxy-Authorization (without the need to use a specification extension)? The use case is to supply separate proxy and target credentials in one API request.

[MikeRalphson]

See https://tools.ietf.org/html/rfc7235#section-4.4 - theoretically adding a proxyAuth: true or similar flag property to any securityScheme would seem to be enough to indicate that it should use the Proxy-Authorization header instead of Authorization. We would need some wording to ensure only one such header was generated even in the case of combinations of optional securitySchemes.

@darrelmiller / @isamauny thoughts?

[SakerGT]

Thanks for looking at this @MikeRalphson

Just to expand on the issue - in our particular example we have both proxy and API credentials we need to supply. The model looks like this:
Client -> Proxy -> API

There are two different credentials required, one for the proxy and one for the API. We need to pass a request like:

GET /protected/resource
Proxy-Authorization: <proxy-credentials>
Authorization: Bearer <token>

Per the RFC section you referenced, the proxy consumes the Proxy-Authorization header and does not pass this to the API. However, the API still requires credentials, so Authorization header is passed to the API to ensure the API can authenticate the client (or user as the case may be).

It would be great if adding proxyAuth: true meant Proxy-Authorization header was required in addition to, rather than instead of, Authorization.