Describe the bug
There is no way of telling 'empty' from 'not defined' security requirement objects, during deserialization.
I.e no way of distinguishing the 2 different security requirement objects
paths:
/pets:
post:
responses:
'201':
description: Created
security: []
get:
responses:
'200':
description: A paged array of petsWhy is this important?
The specification states the following for Operation Security
To remove a top-level security declaration, an empty array can be used.
i.e security: []
however it is expected that if security is not defined on an operation level
get:
responses:
'200':
description: A paged array of petsThat the global security is applied, defined on the top level document object.
in the following spec
openapi: '3.0.0'
info:
version: 1.0.0
title: Swagger Petstore
license:
name: MIT
security:
- Authorization:
- readwrite
servers:
- url: http://petstore.swagger.io/v1
paths:
/pets:
post:
responses:
'201':
description: Created
security: []
get:
responses:
'200':
description: A paged array of pets
components:
securitySchemes:
Authorization:
type: http
scheme: bearer
bearerFormat: JWTpost deserialization, it is impossible to determine which security is actually applied between the 2 operations, as both security requirements are deserialized into the same value
public IList<OpenApiSecurityRequirement> Security { get; set; } = new List<OpenApiSecurityRequirement>();
which ends up being empty in both cases.
The reason for this is most likely that during reading a new OpenApiSecurityRequirement() and as this is a dictionary, there is no way of specifying a null key, so to speak.
The problem being that the semantics between the 2 operations are different in the spec.
To Reproduce
Deserialize the above spec.
Expected behavior
To have a way of differentiating the 2 scenarios. (feasibly one would be empty, the other would be null.
Screenshots/Code Snippets
var input = @"openapi: '3.0.0'
info:
version: 1.0.0
title: Swagger Petstore
license:
name: MIT
security:
- Authorization:
- readwrite
servers:
- url: http://petstore.swagger.io/v1
paths:
/pets:
post:
responses:
'201':
description: Created
security: []
get:
responses:
'200':
description: A paged array of pets
components:
securitySchemes:
Authorization:
type: http
scheme: bearer
bearerFormat: JWT";
var document = new OpenApiStringReader().Read(input, out var diagnostics);
Describe the bug
There is no way of telling 'empty' from 'not defined' security requirement objects, during deserialization.
I.e no way of distinguishing the 2 different security requirement objects
Why is this important?
The specification states the following for Operation Security
i.e
security: []however it is expected that if security is not defined on an operation level
That the global security is applied, defined on the top level document object.
in the following spec
post deserialization, it is impossible to determine which security is actually applied between the 2 operations, as both security requirements are deserialized into the same value
public IList<OpenApiSecurityRequirement> Security { get; set; } = new List<OpenApiSecurityRequirement>();which ends up being empty in both cases.
The reason for this is most likely that during reading a new
OpenApiSecurityRequirement()and as this is a dictionary, there is no way of specifying a null key, so to speak.The problem being that the semantics between the 2 operations are different in the spec.
To Reproduce
Deserialize the above spec.
Expected behavior
To have a way of differentiating the 2 scenarios. (feasibly one would be empty, the other would be null.
Screenshots/Code Snippets