The "body" location value for security schemes is underspecified #1037
Comments
mmccool
changed the title
mmccool
added
Security
security-needs-resolution
|
One option here is to allow use of "name" for "body" to allow identification of a data schema element. Note however this is not currently a required element for body (so we can't make it mandatory without breaking backward compatibility in 1.1). Also, "name" is only one element, so does not allow for multiple values. Another approach would be to annotate the data schema with semantic types to identify the keys, client ids, and so forth, which might also be applicable to the uri template location mechanism. |
|
to refer to the specific parts of the body, we can use JSON Pointers |
mmccool
added
Propose closing
|
Propose closing, BUT maybe want to follow up on JSON Pointers idea mentioned by Ege. Issue is "name" needs to refer to a particular element of a data schema (but, over several different data schemas, so would be relative to the top of each schema). A small edit to the current spec that says the name is a JSON Pointer relative to the top of the data schema might be appropriate. I can do a PR if people agree, and then we can close this. |
w3cbot
added
the
security-needs-resolution
sebastiankb
removed
the
Propose closing
plehegar
added
security-tracker
When a security key is embedded in the body of a message (eg as a POST) it will typically be part of a larger structured payload, so a data schema is required and the identification of a particular element in that schema as the key (or other elements, there might be more than one, i.e. a client id AND a key) is needed. This needs to be clarified in the definition of the "body" location specifier in security schemes.
The text was updated successfully, but these errors were encountered: