Forum Discussion

MOverholt-AFI's avatar
4 years ago
Solved

Can securitySchemes be defined in a domain?

I'm trying to use domain specs (OAS3) to define standard, reusable components that can be used in multiple APIs. I'm getting errors when I try to use a $ref: to add a securityScheme that was defined in a domain to the security property of an API. It works fine if the components.securitySchemes are defined directly within the API spec itself. I've done some searching and I can't find any documentation or examples showing how to make this work, but I also haven't found anyplace where it says this can or can't be done. To illustrate:

 

In my domain spec (Example-Domain/1.0.2) I have the following:

  securitySchemes:
    bearerToken:
      type: http
      scheme: bearer
      bearerFormat: JWT

In my API spec I have this:

security:
  - $ref: 'https://api.swaggerhub.com/domains/myOrg/Example-Domain/1.0.2#/components/securitySchemes/bearerToken'

 

The following error are returned for the line containing the $ref:

  1. should be an array
  2. Security requirements must match a security definition

If I put the same security scheme definition into the API spec itself and modify the security section as follows, it works fine.

security:
  - bearerToken: []

 

Am I doing something wrong?

 

Thanks!

  • Hi MOverholt-AFI,

     

    Currently, domains cannot contain security schemes:

    Note: The OpenAPI 3.0 components section can contain securitySchemes, however, domains cannot contain them.

    There's a feature request in our internal tracker to support this in the future, and I've added your vote to it.

1 Reply

  • HKosova's avatar
    HKosova
    SmartBear Alumni (Retired)

    Hi MOverholt-AFI,

     

    Currently, domains cannot contain security schemes:

    Note: The OpenAPI 3.0 components section can contain securitySchemes, however, domains cannot contain them.

    There's a feature request in our internal tracker to support this in the future, and I've added your vote to it.