Support for scopes in scheme bearer

[vivas6]

Hi,
JWT based access token (bearer) can contain scopes like read_pets, write_pets etc. that could be used to authorize an api request from an app. Why don't Open API spec talk about scopes for scheme: bearer? Shouldn't this be described in the spec as it is a widely used pattern for API authN & authZ?

e.g.

security:
        - bearerAuth: [read:pets, write:pets]

/Vineeth

[MikeRalphson]

This will be supported in OAS 3.1. All securityScheme types may have scopes/roles in referring security requirement objects.

[unikitty37]

@MikeRalphson Were the docs updated to reflect this? The only likely thing I can find is under 4.8.30.1 Patterned Fields, which says "For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band." but doesn't give examples — all the examples are still for OAuth2 and that sentence seems to be all there is…

[MikeRalphson]

Unfortunately we can't add examples of every combination of OAS feature. I'll add one here when I get back to my desk.

[unikitty37]

@MikeRalphson Sorry to hassle you, but did you manage to update the docs? I still can't find how to actually define my API's roles…

[MikeRalphson]

Not hassling at all, and sorry it has taken so long to get back to you. See an example in PR #2515

[unikitty37]

Thanks — I think I've been a little confused by what I thought this was going to be.

Basically, a logged-in user has a role of contributor, editor, or admin. A logged out user is treated as having the role of anonymous.

I was hoping this would allow me to say that an API call is only available with a role of editor or admin, but it seems that the Security Requirement Object still uses AND rather than OR. I appreciate the issue tracker probably isn't the best place for asking this, but is this possible with 3.1? If not, would it be worth making a feature request?