Clarity on how to handle optional security

[RobbeSneyders]

We're wondering how to handle the following specification in connexion.

security:
- api_key: []
- {}
components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-Auth
      in: header
      x-apikeyInfoFunc: app.apikey_auth

If the user sends an invalid API key, should this request be accepted because security is optional, or rejected because the request is invalid according to the api_key security scheme?

When reading the specification to the letter, these schemes should be applied in an OR fashion, so the request should be accepted. However, from the user side, it probably makes more sense to alert them of the invalid API key and reject the request.

Related: #1698

[darrelmiller]

I don't believe OpenAPI has an opinion on the right response here. I would agree with you that a caller that sends an api key is likely to be intending it to be a valid key and would expect an error if it isn't valid. However, I don't think OpenAPI should make this choice for the API provider.

[RobbeSneyders]

Ok thanks for the response!