Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport case insensitivity note for security schemes to 3.0.4 #3765

Merged
merged 1 commit into from May 14, 2024
Merged

Backport case insensitivity note for security schemes to 3.0.4 #3765

merged 1 commit into from May 14, 2024

Conversation

lornajane
Copy link
Contributor

We added a note about case insensitivity in v3.1.1 (see #2644 ), add it to 3.0.4 as well.

@lornajane lornajane requested a review from a team May 1, 2024 07:54
@lornajane lornajane mentioned this pull request May 1, 2024
Open
@handrews
Copy link
Contributor

handrews commented May 1, 2024

Are we considering this a clarification because it was already implied by the spec but not clear? Or would this require tools to change to support case-insensitivity?

@handrews handrews added the security: meta Metadata in and about the specification label May 1, 2024
@handrews handrews added this to the v3.0.4 milestone May 1, 2024
@lornajane
Copy link
Contributor Author

Yes, I consider that it would be assumed to be case-insensitive, but that adding a note to say so was useful. I'm also happy to not backport this if it seems at all risky!

@handrews
Copy link
Contributor

handrews commented May 1, 2024

@lornajane that works for me!

@handrews handrews added the clarification requests to clarify, but not change, part of the spec label May 1, 2024
@lornajane lornajane requested a review from a team May 6, 2024 19:06
mikekistler
mikekistler reviewed May 9, 2024
View reviewed changes
versions/3.0.4.md
@@ -3208,7 +3208,7 @@ Field Name | Type | Applies To | Description
<a name="securitySchemeDescription"></a>description | `string` | Any | A short description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation.
<a name="securitySchemeName"></a>name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used.
<a name="securitySchemeIn"></a>in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"` or `"cookie"`.
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this name the "token" that is referred to in Section 2.1 of RFC 7235?

It uses a case-insensitive token as a means to identify the authentication scheme

If so, perhaps a link to that section would make it clear that this new text is simply a clarification.

ralfhandl
ralfhandl reviewed May 9, 2024
View reviewed changes
versions/3.0.4.md
@@ -3208,7 +3208,7 @@ Field Name | Type | Applies To | Description
<a name="securitySchemeDescription"></a>description | `string` | Any | A short description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation.
<a name="securitySchemeName"></a>name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used.
<a name="securitySchemeIn"></a>in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"` or `"cookie"`.
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive.
<a name="securitySchemeScheme"></a>scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authorization scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1).

@lornajane
Copy link
Contributor Author

I'm not sure what to do here, if we make additional changes, rather than just backporting - do I then need to followup forward-port the additions to the 3.1.1 spec where the original note about case sensitivity was added?

Personally, I think this can merge without the additions to bring the two specs into sync - but I'd need another approval for that. Opinions and reviews welcome!

@lornajane lornajane requested a review from a team May 14, 2024 08:01
@lornajane lornajane mentioned this pull request May 14, 2024
Open
@ralfhandl ralfhandl merged commit 318a77b into OAI:v3.0.4-dev May 14, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ralfhandl ralfhandl ralfhandl approved these changes

@mikekistler mikekistler mikekistler left review comments

@handrews handrews handrews approved these changes

Assignees
No one assigned
Labels
clarification requests to clarify, but not change, part of the spec security: meta Metadata in and about the specification
Projects
None yet
Milestone
v3.0.4
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lornajane @handrews @ralfhandl @mikekistler