Thank you for offering a new example for OpenAPI!
It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure.
I recommend revising the Museum OpenAPI example to use a more secure security scheme.
- use
oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
- change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
- operations that require write access should not use the default security, but use an explicit operation-level
security requirement with write or other scope.
Thank you for offering a new example for OpenAPI!
It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure.
I recommend revising the Museum OpenAPI example to use a more secure security scheme.
oauth2security scheme (withauthorizationCodeflow and with specific read and write scopes -- scope names left to implementors) oropenIdConnectsecurity schemesecurityrequirement with write or other scope.