Set security on an Operation will be wrong converted in yaml / json

[kswzr]

API Platform version(s) affected: 3.1.12

Description
Setting the security property on an Path Operation, will be wrong converted in a json / yaml. The output is an invalid openapi specification.

How to reproduce

#[ApiResource(
    operations: [
        new Get(
            uriTemplate: '/currencies/{id}',
            openapi: new Operation(
                operationId: 'getCurrency',
                summary: 'Get a currency',
                security: [
                    'JWT' => ['CURRENCY_READ']
                ]
            ),
            security: 'is_granted("CURRENCY_READ", object)',
            name: 'getCurrency',
        )
    ],
    normalizationContext: ['groups' => [self::READ]],
)]

Given output in yaml:

Possible Solution
I've already tried some solutions, but got in stuck with the OpenApiNormalizer and their cleanup method.
Here is a solution, how it is solved in Zircote's Openapi implementation: https://github.com/zircote/swagger-php/blob/9e009264d4ec92193934ac0abf6015cb3f908b04/src/Annotations/Operation.php#L203

[soyuka]

should probably be done at https://github.com/api-platform/core/blob/main/src/OpenApi/Serializer/OpenApiNormalizer.php

[vincentchalamon]

Hi @kswzr,

According to the specification (https://swagger.io/docs/specification/authentication/#security), the syntax must be as following (note the double array):

#[ApiResource(
    operations: [
        new Get(
            openapi: new Operation(
                security: [
                    [
                        'JWT' => ['CURRENCY_READ']
                    ],
                ]
            )
        )
    ]
)]

A test is done here to ensure this syntax is valid: #5861