test/resources/security.yaml

openapi: "3.0.2"
info:
  version: 1.0.0
  title: requestBodies $ref
  description: requestBodies $ref Test

servers:
  - url: /v1/

paths:
  /apikey_and_bearer_or_basic:
    get:
      security:
        - ApiKeyAuth: []
          BearerAuth: []
        - BasicAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /no_security:
    get:
      responses:
        "200":
          description: OK

  /api_key:
    get:
      security:
        - ApiKeyAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /api_key_or_anonymous:
    get:
      security:
        # {} means anonyous or no security - see https://github.com/OAI/OpenAPI-Specification/issues/14
        - {}
        - ApiKeyAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  # This api key with scopes should fail validation and return 500
  # scopes are only allowed for oauth2 and openidconnect
  /api_key_with_scopes:
    get:
      security:
        - ApiKeyAuth: ["read", "write"]
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /bearer:
    get:
      security:
        - BearerAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /basic:
    get:
      security:
        - BasicAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /cookie_auth:
    get:
      security:
        - CookieAuth: []
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /oauth2:
    get:
      security:
        - OAuth2:
            - scope1
            - scope2
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

  /openid:
    get:
      security:
        - OpenID:
            - scope1
            - scope2
      responses:
        "200":
          description: OK
        "401":
          description: unauthorized

components:
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic
    BearerAuth:
      type: http
      scheme: bearer
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
    CookieAuth:
      type: apiKey
      in: cookie
      name: JSESSIONID # cookie name
    OpenID:
      type: openIdConnect
      openIdConnectUrl: https://example.com/.well-known/openid-configuration
    OAuth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          scopes:
            read: Grants read access
            write: Grants write access
            admin: Grants access to admin operations