New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combination security scheme #944
Conversation
I vote for "oneOf" (exactly one) instead of "anyOf" (one or more). A consumer program which can work with more than one, may choose to do so and override inputs (e.g. header) and possibly cause conflicts. |
As mentioned here, having the combination scheme, I suggest deprecating the Array type for Having different ways to define AND combination (or anything for that matter) reduces usability and makes it harder for applications to adopt Thing Descriptions. |
The text really needs an example. (edit: there are two now) Farshid (@farshidtz) has one here, which I extract below:
Note this uses the suggested "oneOf" syntax (which I agree with and intend to change). As an additional idea, if we allow the "inline security definitions" to also be used for "oneOf" and "allOf", then we could dispense with the names and securityDefinition and do things like:
|
So I had another thought about how to make this more compact, related to a point raised in the Security TF meeting today about "why don't we just have oneOf/allOf by themselves". I realized this IS possible if we put them at the same level as the "scheme" element and get rid of the special pseudo-scheme "combination". Basically, in a SecurityScheme object you would use one of "scheme", "oneOf", or "allOf". This essentially inlines and combines the data schema for the "combination" pseudo-scheme into the SecurityScheme object itself (although it further complicates the variant record issue...). Anyhow, here are the examples above rewritten to use that approach:
And if we allow the "inline security definitions":
In short, nice and compact, but I think we'll have to check whether we can write a JSON Schema that can validate it. (edit: confirmed that JSON schema is possible, but need two variants of the combination schema, one for "oneOf" and another for "allOf") |
Farshid (@farshidtz) also proposed deprecating the current syntax where an array in "security" means an "allOf" combination. There are two reasons to do this:
To my mind 2 is the bigger problem, since it is likely to confuse people with an OpenAPI background. Note that "deprecation" means in the 1.1 spec we would say "NOT RECOMMENDED" and would only remove it in TD 2.0 (since it would break backward compatibility). However, with the compact proposed syntax, there is a simple equivalence:
would be exactly equivalent to
The second form is slightly more verbose but is clearer. |
Upon reflection, I realized the proposed "compact" syntax w/o "scheme" would cause a compatibility problem in the 1.x version of the spec since "scheme" is mandatory. Omitting it would break TD 1.x processors that expect it. So what I propose doing is introducing this in several steps:
|
I made a bunch of improvements following the discussion above:
The PR has also been updated to add appropriate definitions to the ontology and validation files, including to the JSON schema, and to make the comments in the ontology definitions consistent with the edits in index.template.html. Still an issue with defining the "only one of oneOf or allOf" in the shape definitions, however; marked with FIXME. Also fixed some typos and respec issues. |
Please feel free to re-review! I'll leave it in draft status for now though until we do a group review in the next Security TF call. |
In Sept 2 TD call, it was suggested to add certain constraints such as prohibiting nested CombinationSecurityScheme, for example. It was also pointed out that we need to ask for some implementation experience first, especially on Consumer side. In the coming PlugFest, we should ask implementers to experiment with Combination security scheme. There is a mashup of microservices use case on producer (or proxy) side for Combination security scheme. Consumer can use a security scheme from "oneOf" from the Combination security scheme. |
Marked as draft because I have to add one more assertion to prevent recursive use (to simplify testing). |
from today's TD call:
|
from today's TD call:
|
Addresses: #901
A security scheme that allows other security scheme definitions to be combined using either "any" or "all" combinations. The "anyOf" and "allOf" elements are meant to be similar to the corresponding data schema definitions (which is why I used these terms instead of the "and" and "or" terms discussed in the linked issue).
Things to discuss:
Preview | Diff