OpenAPI-Specification
OpenAPI-Specification copied to clipboard
OAI
security scheme apiKey in body form data parameter
It is possible to define a security scheme as
QueryKey:
type: apiKey
in: query
name: myparam
corresponding to
parameters:
- name: myparam
in: query
required: true
while the first approach adds the notion that the required parameter is related to security.
However there seems to be no way to define a security scheme about a required parameter in an application/x-www-form-urlencoded body adding the same security notion.
Can you clarify if this is a question or a feature request? If the former, no it's not currently possible. If the latter, do you have an actual API which uses an API key in a request body?
The question: Are there reasons against such a feature?
Regarding an actual API:
The OAuth2 token endpoint requires the client to authenticate via
- Basic Auth using
client_id:client_secret, OR - sending
client_idANDclient_secretparameters in thePOSTrequest
This could be specified as
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
ClientIdPost:
type: apiKey
in: ???
name: client_id
ClientSecretPost:
type: apiKey
in: ???
name: client_id
paths:
"/token":
post:
security:
- BasicAuth: []
- ClientIdPost: []
ClientSecretPost: []
There is already an oauth2 securityScheme type which encapsulates this logic, it's not necessary to use apiKey types for this.
I understand the type oauth2 securityScheme to indicate that an API user has to get an access token from the OAuth2 server as specified by the type oauth2 securityScheme.
But this does not help if you want to describe the API of the OAuth2 server itself using OpenAPI.
But this does not help if you want to describe the API of the OAuth2 server itself using OpenAPI.
Though oAuth2 operates over HTTP and can be said to have an API, I wonder whether it is itself an "HTTP API" within the meaning of the phrase used by the OpenAPI Specification, and there whether it is in scope here.
The OAuth2 token endpoint was just an example. There could, of course, be more (and maybe more appropriate ones).
Now, why can I specify a security scheme for a query parameter, but not a parameter in an application/x-www-form-urlencoded body?
My question, again: Are there reasons against such a feature? Is the answer to the question, that this security scheme would only apply to methods with defined message bodies, which would violate some (to me currently unknown) design principle for OpenAPI?
I would find this feature helpful. Mandrill is one example that expects the API key in a body parameter:
https://mandrillapp.com/api/docs/messages.curl.html#sts=/messages/search.json
@dylantack wrote: I would find this feature helpful. Mandrill is one example that expects the API key in a body parameter:
https://mandrillapp.com/api/docs/messages.curl.html#sts=/messages/search.json
My question was about an API key in an application/x-www-form-urlencoded body. But, of course, it can be extended to other content-types, like application/json as in the Mandrill example.
This seems related/ necessary for https://github.com/OAI/OpenAPI-Specification/issues/1875? Specifically the client authentication method using client_assertion and client_assertion_type are sent as a parameters in the body using application/x-www-form-urlencoded
To clarify, does this boil down to adding a new value for in in the Security Scheme Object to indicate that the API Key is in the body? Which is assumed to be ...form-urlencoded?
Another REST API that includes the ApiKey in the POST body is the NeoLoad Data Exchange API: https://documentation.tricentis.com/neoload/2024.1/en/content/apis/data_exchange_api_data_model.htm (see the "Create a session with an API Key" example).
