museum-openapi-example icon indicating copy to clipboard operation
museum-openapi-example copied to clipboard

Published 20 hours ago verified publisher icon Redocly

Consider `oauth2` or `openIdConnect` authentication over HTTP `basic` auth

Open DavidBiesack opened this issue 1 year ago • 1 comments
trafficstars

Thank you for offering a new example for OpenAPI!

It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure. I recommend revising the Museum OpenAPI example to use a more secure security scheme.

  1. use oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
  2. change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
  3. operations that require write access should not use the default security, but use an explicit operation-level security requirement with write or other scope.

DavidBiesack avatar Mar 31 '24 22:03 DavidBiesack

It would be nice if we mocked this too.

adamaltman avatar Apr 15 '24 16:04 adamaltman