Incorrect default value for OpenApiSecurityScheme.In when using "http" type with "bearer" scheme

[HavenDV]

Describe the bug
When defining an OpenApiSecurityScheme of type http with the scheme bearer, the default value for In is set to Query instead of Header. According to the OpenAPI Specification, header should be the implied default when the type is http and the scheme is bearer.

OpenApi File To Reproduce

openapi: 3.0.0
info:
  title: Minimal API
  version: 1.0.0
paths:
  /example:
    get:
      summary: Example endpoint
      security:
        - Bearer: []
      responses:
        '200':
          description: Successful response
components:
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

Expected behavior
The default value for OpenApiSecurityScheme.In should be Header when the type is http and the scheme is bearer, aligning with the OpenAPI Specification’s default behavior.

Additional context
This issue causes incorrect behavior when generating clients or code based on the OpenAPI definition, as the security token is expected to be sent as a query parameter instead of the Authorization header.

[darrelmiller]

I am assuming you mean the In property rather than Location as there is no Location property.

However, the In property is only applicable to type equal to apiKey. It has no impact on type equal to http. When using the type http, the credentials are always sent in the Authorization header. This is stated explicitly in the description of the scheme field here https://spec.openapis.org/oas/v3.1.0.html#fixed-fields-22