From 95c467121f84e5a33cd881858f97e9fe16d396b4 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sun, 9 Jun 2024 15:02:59 -0700 Subject: [PATCH 01/61] Consolidate guidance around examples (3.2.0 port of 3895) The four ways of specifying parameter or media type examples are confusing. There is a lot of guidance that is repeated, making it harder to see the essentials. Some of that guidance is also contradictory, with most saying that the examples SHOULD match various conditions, but one saying that they MUST. Research shows that SHOULD was repeatedly advocated, and instances of MUST corrected back to SHOULD, except for one final commit where MUST was introduced, and the subsequent commit to revert to SHOULD seems to have simply missed one instance. So this change takes the position that the MUST was an error and weakens it to SHOULD to match the other four or five places where the requirement was specified. --- versions/3.2.0.md | 114 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 106 insertions(+), 8 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 67d90142b5..91fda4adef 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1088,7 +1088,8 @@ Field Name | Type | Description ###### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#parameterSchema) and [`style`](#parameterStyle) can describe the structure and syntax of the parameter. -When `example` or `examples` are provided in conjunction with the `schema` object, the example MUST follow the prescribed serialization strategy for the parameter. +When `example` or `examples` are provided in conjunction with the `schema` object, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. Field Name | Type | Description ---|:---:|--- @@ -1096,8 +1097,8 @@ Field Name | Type | Description explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. When [`style`](#parameterStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. allowReserved | `boolean` | Determines whether the parameter value SHOULD allow reserved characters, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-2.2) `:/?#[]@!$&'()*+,;=` to be included without percent-encoding. This property only applies to parameters with an `in` value of `query`. The default value is `false`. schema | [Schema Object](#schemaObject) | The schema defining the type used for the parameter. -example | Any | Example of the parameter's potential value. The example SHOULD match the specified schema and encoding properties if present. The `example` field is mutually exclusive of the `examples` field. Furthermore, if referencing a `schema` that contains an example, the `example` value SHALL _override_ the example provided by the schema. To represent examples of media types that cannot naturally be represented in JSON or YAML, a string value can contain the example with escaping where necessary. -examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the parameter's potential value. Each example SHOULD contain a value in the correct format as specified in the parameter encoding. The `examples` field is mutually exclusive of the `example` field. Furthermore, if referencing a `schema` that contains an example, the `examples` value SHALL _override_ the example provided by the schema. +example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). +examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). ###### Fixed Fields and considerations for use with `content` @@ -1432,12 +1433,16 @@ content: #### Media Type Object Each Media Type Object provides schema and examples for the media type identified by its key. +When `example` or `examples` are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +See [Working With Examples](#working-with-examples) for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values. + ##### Fixed Fields Field Name | Type | Description ---|:---:|--- schema | [Schema Object](#schemaObject) | The schema defining the content of the request, response, or parameter. -example | Any | Example of the media type. The example object SHOULD be in the correct format as specified by the media type. The `example` field is mutually exclusive of the `examples` field. Furthermore, if referencing a `schema` which contains an example, the `example` value SHALL _override_ the example provided by the schema. -examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the media type. Each example object SHOULD match the media type and specified schema if present. The `examples` field is mutually exclusive of the `example` field. Furthermore, if referencing a `schema` which contains an example, the `examples` value SHALL _override_ the example provided by the schema. +example | Any | Example of the media type; see [Working With Examples](#working-with-examples). +examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the media type; see [Working With Examples](#working-with-examples). encoding | Map[`string`, [Encoding Object](#encodingObject)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The encoding attribute SHALL only apply to [Request Body Objects](#requestBodyObject), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -2029,9 +2034,28 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). -In all cases, the example value is expected to be compatible with the type schema -of its associated value. Tooling implementations MAY choose to -validate compatibility automatically, and reject the example value(s) if incompatible. +In all cases, the example value SHOULD be compatible with the schema of its associated value. +Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. + +#### Working With Examples + +Example Objects can be used in both [Parameter Objects](#parameterObject) and [Media Type Objects](#mediaTypeObject). +In both Objects, this is done through the `examples` (plural) field. +However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in both Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schemaObject) that appears in the `schema` field of both Objects. +Each of these fields has slightly different considerations. + +The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. +The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. + +The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's [Encoding Object](#encodingObject). +Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. + +The singular `example` field in the Parameter or Media Type object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. + +Some examples cannot be represented directly in JSON or YAML. +For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of the OpenAPI Description document. +With the Example Object, such values can alternatively be handled through the `externalValue` field. ##### Example Object Examples @@ -2091,6 +2115,80 @@ responses: $ref: '#/components/examples/confirmation-success' ``` +Two different uses of JSON strings: + +First, a request or response body that is just a JSON string (not an object containing a string): + +```json +"application/json": { + "schema": { + "type": "string" + }, + "examples": { + "jsonBody": { + "description": "A body of just the JSON string \"json\"", + "value": "json" + } + } +} +``` + +```yaml +application/json: + schema: + type: string + examples: + jsonBody: + description: 'A body of just the JSON string "json"' + value: json +``` + +In the above example, we can just show the JSON string (or any JSON value) as-is, rather than stuffing a serialized JSON value into a JSON string, which would have looked like `"\"json\""`. + + +In contrast, a JSON string encoded inside of a URL-style form body: + +```json +"application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "jsonValue": { + "type": "string" + } + } + }, + "encoding": { + "jsonValue": { + "contentType": "application/json" + } + }, + "examples": { + "jsonFormValue": { + "description": "The JSON string \"json\" as a form value", + "value": "jsonValue=%22json%22" + } + } +} +``` + +```yaml +application/x-www-form-urlencoded: + schema: + type: object + properties: + jsonValue: + type: string + encoding: + jsonValue: + contentType: application/json + examples: + jsonFormValue: + description: 'The JSON string "json" as a form value' + value: jsonValue=%22json%22 +``` + +In this example, the JSON string had to be serialized before encoding it into the URL form value, so the example includes the quotation marks that are part of the JSON serialization, which are then URL percent-encoded. #### Link Object From 26ccf2dc225c1e57848e68a09623c3e240085802 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 15:38:40 -0700 Subject: [PATCH 02/61] Fix confusing usage of "WebHook" (3.2.0 port of 3862 1/2) Not only do we not capitalize the "h" elsewhere, this example, which pre-dated 3.1 webhooks, used the term in a confusinglty not-quite-the-same way. --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 91fda4adef..4a516cb002 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1988,7 +1988,7 @@ $response.header.Location | https://example.org/subscription/1 ##### Callback Object Examples -The following example uses the user provided `queryUrl` query string parameter to define the callback URL. This is an example of how to use a callback object to describe a WebHook callback that goes with the subscription operation to enable registering for the WebHook. +The following example uses the user provided `queryUrl` query string parameter to define the callback URL. This is similar to a [webhook](#oasWebhooks), but differs in that the callback only occurs because of the initial request that sent the `queryUrl`. ```yaml myCallback: From 1e7d87a5347b5255433dcd0439ed6176767a2d4d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 15:41:10 -0700 Subject: [PATCH 03/61] Replace deprecated example with examples in schema (3.2.0 port of 3862 2/2) 3.1 deprecates the OAS extension `example` schema keyword in favor of the draft 2020-12 `examples` standard schema keyword. --- versions/3.2.0.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 4a516cb002..896436103c 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2655,10 +2655,12 @@ additionalProperties: "required": [ "name" ], - "example": { - "name": "Puma", - "id": 1 - } + "examples": [ + { + "name": "Puma", + "id": 1 + } + ] } ``` @@ -2672,8 +2674,8 @@ properties: type: string required: - name -example: - name: Puma +examples: +- name: Puma id: 1 ``` From ac18ea489dd3e752cc5336cc26de6c05ccdba92a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 13 Jun 2024 13:31:03 -0700 Subject: [PATCH 04/61] More guidance on schema dialects. (3.2.0 port of 3909) This makes it more clear that jsonSchemaDialect, like $schema, is per document, and provides guidance for incomplete OAS documents and using $schema in standalone schema documents. It also clarifies the nature of "requiring" the OAS extension vocabulary. Co-authored-by: Karen Etheridge --- versions/3.2.0.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 896436103c..4046b98aad 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2496,7 +2496,8 @@ The following properties are taken from the JSON Schema specification but their In addition to the JSON Schema properties comprising the OAS dialect, the Schema Object supports keywords from any other vocabularies, or entirely arbitrary properties. -The OpenAPI Specification's base vocabulary is comprised of the following keywords: +JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-8.1.2) value of `false`. +The OAS base vocabulary is comprised of the following keywords: ##### Fixed Fields @@ -2541,11 +2542,12 @@ The [XML Object](#xmlObject) contains additional information about the available It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. -The `$schema` keyword MAY be present in any root Schema Object, and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. +The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. -To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a Schema Object always overrides any default. +To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. -When a Schema Object is referenced from an external resource which is not an OAS document (e.g. a bare JSON Schema resource), then the value of the `$schema` keyword for schemas within that resource MUST follow [JSON Schema rules](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.1.1). +For standalone JSON Schema documents that do not set `$schema`, or for Schema Objects in OpenAPI description documents that are _not_ [complete documents](#documentStructure), the dialect SHOULD be assumed to be the OAS dialect. +However, for maximum interoperability, it is RECOMMENDED that OpenAPI description authors explicitly set the dialect through `$schema` in such documents. ##### Schema Object Examples From 915eff887f9159eaac0899e9eb56603b472d0938 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 30 May 2024 13:18:13 -0700 Subject: [PATCH 05/61] Verbose Header Object documentation (3.2.0 port of 3867 1/2, 3904) This copies the relevant Parameter Object fields to the Header Object instead of relying on implicit guidance. The text for the fields has been edited to reflect that only headers are being described. This also include an example of describing a header using the `content` field, and explaining why it is necessary to do so. --- versions/3.2.0.md | 77 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 71 insertions(+), 6 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 4046b98aad..9810277ddf 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2366,18 +2366,56 @@ Expressions can be embedded into string values by surrounding the expression wit #### Header Object -The Header Object follows the structure of the [Parameter Object](#parameterObject) with the following changes: +The Header Object is used to describe headers for [HTTP responses](#responseHeaders) and for [individual parts in `multipart` representations](#encodingHeaders); see the relevant [Header Object](#headerObject) and [Encoding Object](#encodingObject) documentation for restrictions on which headers can be described. + +The Header Object follows the structure of the [Parameter Object](#parameterObject), including determining its serialization strategy based on whether `schema` or `content` is present, with the following changes: 1. `name` MUST NOT be specified, it is given in the corresponding `headers` map. 1. `in` MUST NOT be specified, it is implicitly in `header`. -1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameterStyle)). +1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameterStyle)). This means that `allowEmptyValue` and `allowReserved` MUST NOT be used, and `style`, if used, MUST be limited to `simple`. + +##### Common Fixed Fields + +These fields MAY be used with either `content` or `schema`. + +Field Name | Type | Description +---|:---:|--- +description | `string` | A brief description of the header. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. +required | `boolean` | Determines whether this header is mandatory. The default value is `false`. + deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. + +##### Fixed Fields for use with `schema` + +For simpler scenarios, a [`schema`](#headerSchema) and [`style`](#headerStyle) can describe the structure and syntax of the header. +When `example` or `examples` are provided in conjunction with the `schema` object, the example MUST follow the prescribed serialization strategy for the header. + +Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#serializingHeadersAndCookies) for details. + +Field Name | Type | Description +---|:---:|--- +style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `simple`. +explode | `boolean` | When this is true, header values of type `array` or `object` generate separate header values for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. The default value is `false`. +schema | [Schema Object](#schemaObject) \| [Reference Object](#referenceObject) | The schema defining the type used for the header. +example | Any | Example of the header's potential value. The example SHOULD match the specified schema and encoding properties if present. The `example` field is mutually exclusive of the `examples` field. Furthermore, if referencing a `schema` that contains an example, the `example` value SHALL _override_ the example provided by the schema. To represent examples of media types that cannot naturally be represented in JSON or YAML, a string value can contain the example with escaping where necessary. +examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the header's potential value. Each example SHOULD contain a value in the correct format as specified in the header encoding. The `examples` field is mutually exclusive of the `example` field. Furthermore, if referencing a `schema` that contains an example, the `examples` value SHALL _override_ the example provided by the schema. + +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. + +##### Fixed Fields for use with `content` + +For more complex scenarios, the [`content`](#headerContent) property can define the media type and schema of the header, as well as give examples of its use. +Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. + +Field Name | Type | Description +---|:---:|--- +content | Map[`string`, [Media Type Object](#mediaTypeObject)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. ##### Header Object Example A simple header of type `integer`: ```json -{ +"X-Rate-Limit-Limit": { "description": "The number of allowed requests in the current period", "schema": { "type": "integer" @@ -2386,9 +2424,36 @@ A simple header of type `integer`: ``` ```yaml -description: The number of allowed requests in the current period -schema: - type: integer +X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer +``` + +Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: + +```json +"ETag": { + "required": true, + "content": { + "text/plain": { + "schema": { + "type": "string", + "pattern": "^\"" + } + } + } +} +``` + +```yaml +ETag: + required: true + content: + text/plain: + schema: + type: string + pattern: ^" ``` #### Tag Object From b9831dbad5ed1c9bd7f89216f9535ff83e564b17 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 4 Jun 2024 08:58:18 -0700 Subject: [PATCH 06/61] Better wording (3.2.0 port of 3867 2/2) Co-authored-by: Ralf Handl --- versions/3.2.0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 9810277ddf..8c8cfa3a67 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2366,7 +2366,7 @@ Expressions can be embedded into string values by surrounding the expression wit #### Header Object -The Header Object is used to describe headers for [HTTP responses](#responseHeaders) and for [individual parts in `multipart` representations](#encodingHeaders); see the relevant [Header Object](#headerObject) and [Encoding Object](#encodingObject) documentation for restrictions on which headers can be described. +Describes a single header for [HTTP responses](#responseHeaders) and for [individual parts in `multipart` representations](#encodingHeaders); see the relevant [Response Object](#responseObject) and [Encoding Object](#encodingObject) documentation for restrictions on which headers can be described. The Header Object follows the structure of the [Parameter Object](#parameterObject), including determining its serialization strategy based on whether `schema` or `content` is present, with the following changes: @@ -2382,7 +2382,7 @@ Field Name | Type | Description ---|:---:|--- description | `string` | A brief description of the header. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. required | `boolean` | Determines whether this header is mandatory. The default value is `false`. - deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. + deprecated | `boolean` | Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is `false`. ##### Fixed Fields for use with `schema` @@ -2394,7 +2394,7 @@ Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=v Field Name | Type | Description ---|:---:|--- style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `simple`. -explode | `boolean` | When this is true, header values of type `array` or `object` generate separate header values for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. The default value is `false`. +explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this property has no effect. The default value is `false`. schema | [Schema Object](#schemaObject) \| [Reference Object](#referenceObject) | The schema defining the type used for the header. example | Any | Example of the header's potential value. The example SHOULD match the specified schema and encoding properties if present. The `example` field is mutually exclusive of the `examples` field. Furthermore, if referencing a `schema` that contains an example, the `example` value SHALL _override_ the example provided by the schema. To represent examples of media types that cannot naturally be represented in JSON or YAML, a string value can contain the example with escaping where necessary. examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the header's potential value. Each example SHOULD contain a value in the correct format as specified in the header encoding. The `examples` field is mutually exclusive of the `example` field. Furthermore, if referencing a `schema` that contains an example, the `examples` value SHALL _override_ the example provided by the schema. From ff1ac10bb893639ef24a9a4d2c77e0164e36cf54 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 28 May 2024 13:44:37 -0700 Subject: [PATCH 07/61] Improve media type encoding examples (3.2.0 port of 3864) * Replace the outdated "model" terminology with "schema" * Remove the outdated `text/plain` array example, which does not correlate with current OAS requirements * Rather than replacing the `text/plain` example direclty, enhance the example of serializing `application/json` content in `application/x-www-form-urlencoeded` request bodies. --- versions/3.2.0.md | 62 ++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 33 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 8c8cfa3a67..c2dba6a0a7 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1324,7 +1324,7 @@ This object MAY be extended with [Specification Extensions](#specificationExtens ##### Request Body Examples -A request body with a referenced model definition. +A request body with a referenced schema definition. ```json { "description": "user to add to the system", @@ -1400,36 +1400,6 @@ content: externalValue: https://foo.bar/examples/user-example.whatever ``` -A body parameter that is an array of string values: -```json -{ - "description": "user to add to the system", - "required": true, - "content": { - "text/plain": { - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - } - } -} -``` - -```yaml -description: user to add to the system -required: true -content: - text/plain: - schema: - type: array - items: - type: string -``` - - #### Media Type Object Each Media Type Object provides schema and examples for the media type identified by its key. @@ -1589,9 +1559,35 @@ requestBody: properties: {} ``` -In this example, the contents in the `requestBody` MUST be stringified per [RFC1866](https://tools.ietf.org/html/rfc1866/) when passed to the server. In addition, the `address` field complex object will be stringified. +In this example, the contents in the `requestBody` MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server. In addition, the `address` field complex object will be serialized to a string representation prior to encoding. + +When passing complex objects in the `application/x-www-form-urlencoded` content type, the default serialization strategy of such properties is described in the [Encoding Object](#encodingObject)'s [`style`](#encodingStyle) property as `form`. -When passing complex objects in the `application/x-www-form-urlencoded` content type, the default serialization strategy of such properties is described in the [`Encoding Object`](#encodingObject)'s [`style`](#encodingStyle) property as `form`. +With this example, given an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` and a US-style address (with ZIP+4) as follows: + +```json +{ + "streetAddress": "123 Example Dr.", + "city": "Somewhere", + "state": "CA", + "zip": "99999+1234" +} +``` + +Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%7B`, and `%7D`, respectively: + +```urlencoded +id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D +``` + +Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encodingObject)'s default behavior, and is serialized as-is. +If it were treated as `application/json`, then the serialized value would be a JSON string including quotation marks, which would be percent-encoded as `%22`. + +Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per RFC1866: + +```urlencoded +id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 +``` ##### Special Considerations for `multipart` Content From d7a63e6ac59c57a14f3ff1ce16d6db908caceefa Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 6 May 2024 18:53:10 -0700 Subject: [PATCH 08/61] Clarications on RFC6570-derived behavior (3.2.0 port of 3818) This aligns allowReserved with style by similarly correlating it with RFC6570 operators. This will make it easier to write a more in-depth explanation of the process in an appendix. This also adds one of several appendixes to be added to clarify the most obscure details of Parameter Object and Encoding Object serialization. This clarifies the correspondence between OAS fields and RFC6570 operators, and acknowledges that some field values and combinations do not have analogues. It provides further guidance for how to use RFC6570 implementations to support these configurations. This includes a SHOULD directive regarding using RFC6570 expansion with the non-RFC6570 styles, as the use of "explode" and "allowReserved" does not otherwise make any sense. It perhaps could be a MUST. Examples are included to show both typical usage, and how to work around the lack of exact RFC6570 equivalences for certain configurations. --- versions/3.2.0.md | 253 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 251 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index c2dba6a0a7..eff07495d4 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1095,11 +1095,13 @@ Field Name | Type | Description ---|:---:|--- style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `query` - `form`; for `path` - `simple`; for `header` - `simple`; for `cookie` - `form`. explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. When [`style`](#parameterStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. -allowReserved | `boolean` | Determines whether the parameter value SHOULD allow reserved characters, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-2.2) `:/?#[]@!$&'()*+,;=` to be included without percent-encoding. This property only applies to parameters with an `in` value of `query`. The default value is `false`. +allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. This property only applies to parameters with an `in` value of `query`. The default value is `false`. schema | [Schema Object](#schemaObject) | The schema defining the type used for the parameter. example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. + ###### Fixed Fields and considerations for use with `content` For more complex scenarios, the [`content`](#parameterContent) property can define the media type and schema of the parameter, as well as give examples of its use. @@ -1652,10 +1654,12 @@ Field Name | Type | Description headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers, for example `Content-Disposition`. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -allowReserved | `boolean` | Determines whether the parameter value SHOULD allow reserved characters, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-2.2) `:/?#[]@!$&'()*+,;=` to be included without percent-encoding. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. This property only applies to parameters with an `in` value of `query`. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. This object MAY be extended with [Specification Extensions](#specificationExtensions). +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. + ##### Encoding Object Example `multipart/form-data` allows for binary parts: @@ -3857,3 +3861,248 @@ Version | Date | Notes 1.2 | 2014-03-14 | Initial release of the formal document. 1.1 | 2012-08-22 | Release of Swagger 1.1 1.0 | 2011-08-10 | First release of the Swagger Specification + +## Appendix B: Data Type Conversion + +## Appendix C: Using RFC6570 Implementations + +Serialization is defined in terms of RFC6570 URI Templates in two scenarios: + +Object | Condition +------ | --------- +[Parameter Object](#parameterObject) | When `schema` is present +[Encoding Object](#encodingObject) | When encoding for `application/x-www-form-urlencoded` and any of `style`, `explode`, or `allowReserved` are used + +Implementations of this specification MAY use an implementation of RFC6570 to perform variable expansion, however, some caveats apply. + +Note that when using `style: form` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. + +Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. +Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. + +### Equivalences Between Fields and RFC6570 Operators + +Certain field values translate to RFC6570 operators (or lack thereof): + +field | value | equivalent +----- | ----- | ---------- +style | simple | _n/a_ +style | matrix | `;` prefix operator +style | label | `.` prefix operator +style | form | `?` prefix operator +allowReserved | `false` | _n/a_ +allowReserved | `true` | `+` prefix operator +explode | `false` | _n/a_ +explode | `true` | `*` modifier suffix + +Multiple `style: form` parameters are equivalent to a single RFC6570 [variable list](https://www.rfc-editor.org/rfc/rfc6570#section-2.2) using the `?` prefix operator: + +```YAML +parameters: +- name: foo + in: query + schema: + type: object + explode: true +- name: bar + in: query + schema: + type: string +``` + +This example is equivalent to RFC6570's `{?foo*,bar}`, and ***NOT*** `{?foo*}{&bar}`, which is problematic because if `foo` is not defined, the result will be an invalid URI. +The `&` prefix operator has no equivalent in the Parameter Object. + +Note that RFC6570 does not specify behavior for compound values beyond the single level addressed by `explode`. The results of using objects or arrays where no behavior is clearly specified for them is implementation-defined. + +### Non-RFC6570 Field Values and Combinations + +Configurations with no direct RFC6570 equivalent SHOULD also be handled according to RFC6570. +Implementations MAY create a properly delimited URI Template with variables for individual names and values using RFC6570 regular or reserved expansion (based on `allowReserved`). + +This includes: + * the styles `pipeDelimited`, `spaceDelimited`, and `deepObject`, which have no equivalents at all + * the combination of the style `form` with `allowReserved: true`, which is not allowed because only one prefix operator can be used at a time + * any parameter name that is not a legal RFC6570 variable name + +The Parameter Object's `name` field has a much more permissive syntax than [RFC6570 variable name syntax](https://www.rfc-editor.org/rfc/rfc6570#section-2.3). +A parameter name that includes characters outside of the allowed RFC6570 variable character set MUST be percent-encoded before it can be used in a URI Template. + +### Examples + +Let's say we want to use the following data in a form query string, where `formulas` is exploded, and `words` is not: + +```YAML +formulas: + a: x+y + b: x/y + c: x^y +words: +- math +- is +- fun +``` + +#### RFC6570-Equivalent Expansion + +This array of parameter objects uses regular `style: form` expansion, fully supported by RFC6570: + +```YAML +parameters: +- name: formulas + in: query + schema: + type: object + additionalProperties: + type: string + explode: true +- name: words + in: query + schema: + type: array + items: + type: string +``` + +This translates to the following URI Template: + +```urlencoded +{?formulas*,words} +``` + +when expanded with the data given earlier, we get: + +```urlencoded +?a=x%2By&b=x%2Fy&c=x%5Ey&words=math,is,fun +``` + +#### Expansion With Non-RFC6570-Supported Options + +But now let's say that (for some reason), we really want that `/` in the `b` formula to show up as-is in the query string, and we want our words to be space-separated like in a written phrase. +To do that, we'll add `allowReserved: true` to `formulas`, and change to `style: spaceDelimited` for `words`: + +```YAML +parameters: +- name: formulas + in: query + schema: + type: object + additionalProperties: + type: string + explode: true + allowReserved: true +- name: words + in: query + style: spaceDelimited + schema: + type: array + items: + type: string +``` + +We can't combine the `?` and `+` RFC6570 prefixes, and there's no way with RFC6570 to replace the `,` separator with a space character. +So we need to restructure the data to fit a manually constructed URI Template that passes all of the pieces through the right sort of expansion. + +Here is one such template, using a made-up convention of `words.0` for the first entry in the words value, `words.1` for the second. + +```urlencoded +?a={+a}&b={+b}&c={+c}&words={words.0} {words.1} {words.2} +``` + +RFC6570 [mentions](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.4.2) the use of `.` "to indicate name hierarchy in substructures," but does not define any specific naming convention or behavior for it. +Since the `.` usage is not automatic, we'll need to construct an appropriate input structure for this new template. + +We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. + +Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ +Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. +See also [Appendix E](#to indicate name hierarchy in substructures) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. + +So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): + +```YAML +a: x%2By +b: x/y +c: x^y +words.0: math +words.1: is +words.2: fun +``` + +Expanding our manually assembled template with our restructured data yields the following query string: + +```urlencoded +?a=x%2By&b=x/y&c=x%5Ey&words=math%20is%20fun +``` +The `/` and the pre-percent-encoded `%2B` have been left alone, but the disallowed `^` character (inside a value) and space characters (in the template but outside of the expanded variables) were percent-encoded. + +#### Undefined Values and Manual URI Template Construction + +Care must be taken when manually constructing templates to handle the values that [RFC6570 considers to be _undefined_](https://datatracker.ietf.org/doc/html/rfc6570#section-2.3) correctly: + +```YAML +formulas: {} +words: +- hello +- world +``` + +Using this data with our original RFC6570-friendly URI Template, `{?formulas*,words}`, produces the following: + + +```urlencoded +?words=hello,world +``` + +This means that the manually constructed URI Template and restructured data need to leave out the `formulas` object entirely so that the `words` parameter is the first and only parameter in the query string. + +Restructured data: + +```YAML +words.0: hello +words.1: world +``` + +Manually constructed URI Template: + +```urlencoded +?words={words.0} {words.1} +``` + +Result: + +```urlencoded +?words=hello%20world +``` + +#### Illegal Variable Names as Parameter Names +In this example, the heart emoji is not legal in URI Template names (or URIs): + +```YAML +parameters: +- name: ❤️ + in: query + schema: + type: string +``` + +We can't just pass `❤️: love!` to an RFC6570 implementation. +Instead, we have to pre-percent-encode the name (which is a six-octet UTF-8 sequence) in both the data and the URI Template: + +```YAML +"%E2%9D%A4%EF%B8%8F": love! +``` + +```urlencoded +{?%E2%9D%A4%EF%B8%8F} +``` + +This will expand to the result: + +```urlencoded +?%E2%9D%A4%EF%B8%8F=love%21 +``` + +## Appendix D: Serializing Headers and Cookies + +## Appendix E: Percent-Encoding and Form Media Types From 89df68ea256217c14c2d5ad2485d154e2a978b6c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 14 Jun 2024 15:41:59 -0700 Subject: [PATCH 09/61] Fix stray mentions of parameters (3.2.0 port of 3911 1/2) --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index eff07495d4..0bdad2689e 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1654,7 +1654,7 @@ Field Name | Type | Description headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers, for example `Content-Disposition`. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. This property only applies to parameters with an `in` value of `query`. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. This object MAY be extended with [Specification Extensions](#specificationExtensions). From 9a2e2ef42f845e5ac1f865c2a198ae2c9404dc74 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 22 May 2024 15:24:19 -0700 Subject: [PATCH 10/61] Appendix on converting data types to strings (3.2.0 port of 3840) It's very unclear how numbers, booleans, and other non-UTF-8-string values are converted to strings, particularly for the form media types. This adds a brief appendix that acknowledges the lack of standardization, and points to resources for the few cases that do have specifications. It highlights concerns with relying on certain JSON Schema keywords or values for serialization, and suggests defining schemas of type string and requiring applications to perform the conversion prior to schema validation as a way to control the results. This also clarifies that schema validation occurs before serialization. Also add note about RFC6570 type conversions. The spec doesn't address it, but implementations often have their own rules. --- versions/3.2.0.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0bdad2689e..70f99cb20e 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1071,6 +1071,7 @@ There are four possible parameter locations specified by the `in` field: The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a `content` field or a `schema` field, but not both. +See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. ###### Common Fixed Fields @@ -1646,6 +1647,7 @@ An `encoding` attribute is introduced to give you control over the serialization #### Encoding Object A single encoding definition applied to a single schema property. +See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. ##### Fixed Fields Field Name | Type | Description @@ -3864,6 +3866,32 @@ Version | Date | Notes ## Appendix B: Data Type Conversion +Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. + +Schema Objects validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-wright-json-schema-00#section-4.2), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. +Notably, integers are not a distinct type from other numbers, with `type: integer` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. + +The [Parameter Object](#parameterObject) and [Encoding Object](#encodingObject) offer features to control how to arrange values from array or object types. +They can also be used to control how strings are further encoded to avoid reserved or illegal characters. +However, there is no general-purpose specification for converting schema-validated non-UTF-8 primitive data types (or entire arrays or objects) to strings. + +Two cases do offer standards-based guidance: + +* [RFC3987 §3.1](https://datatracker.ietf.org/doc/html/rfc3987#section-3.1) provides guidance for converting non-Unicode strings to UTF-8, particularly in the context of URIs (and by extension, the form media types which use the same encoding rules) +* [RFC6570 §2.3](https://www.rfc-editor.org/rfc/rfc6570#section-2.3) specifies which values, including but not limited to `null`, are considered _undefined_ and therefore treated specially in the expansion process when serializing based on that specification + +Implementations of RFC6570 often have their own conventions for converting non-string values, but these are implementation-specific and not defined by the RFC itself. +This is one reason for the OpenAPI Specification to leave these conversions as implementation-defined: It allows using RFC6570 implementations regardless of how they choose to perform the conversions. + +To control the serialization of numbers, booleans, and `null` (or other values RFC6570 deems to be undefined) more precisely, schemas can be defined as `type: string` and constrained using `pattern`, `enum`, `format`, and other keywords to communicate how applications must pre-convert their data prior to schema validation. +The resulting strings would not require any further type conversion. + +The `format` keyword can assist in serialization. +Some formats (such as `date-time` or `byte`) are unambiguous, while others (such as [`decimal`](https://spec.openapis.org/registry/format/decimal.html) in the [Format Registry](https://spec.openapis.org/registry/format/)) are less clear. +However, care must be taken with `format` to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored. + +Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types. + ## Appendix C: Using RFC6570 Implementations Serialization is defined in terms of RFC6570 URI Templates in two scenarios: From 69799df3e1062ab0dced0845c68dd5fcaea36fb7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 22 May 2024 17:38:57 -0700 Subject: [PATCH 11/61] Warnings for header and cookie serialization (3.2.0 port of 3841) This makes serializing cookie paramters and most header parameters with `schema` and `style` NOT RECOMMENDED. It is not clear that any `schema`-based serialization for cookies will produce a correct value (although the reason is sufficiently obscure that many implementations might ignore it and produce cookie-compliant output anyway). With headers, there are numerous pitfalls and only the simplest scenarios will work properly, although perhaps the warning here could be reworded to emphasize the safe scenarios more clearly. The details are relegated to an appendix, because truly, most people will not want to know. But recommending against syntactically legal configurations really does need to be explained in the spec. Also, don't use - in: header name: Cookie Because... yeah. --- versions/3.2.0.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 70f99cb20e..9c6c2a6175 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1066,7 +1066,6 @@ There are four possible parameter locations specified by the `in` field: * header - Custom headers that are expected as part of the request. Note that [RFC7230](https://tools.ietf.org/html/rfc7230#page-22) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. - ##### Fixed Fields The rules for serialization of the parameter are specified in one of two ways. @@ -1086,12 +1085,16 @@ Field Name | Type | Description deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameterStyle) is used, and if behavior is `n/a` (cannot be serialized), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schemaObject) are implementation-defined. This field is valid only for `query` parameters. Use of this property is NOT RECOMMENDED, and it is likely to be removed in a later revision. +Note that while `"Cookie"` as a `name` is not forbidden with `in: header`, the effect of defining a cookie parameter that way is undefined; use `in: cookie` instead. + ###### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#parameterSchema) and [`style`](#parameterStyle) can describe the structure and syntax of the parameter. When `example` or `examples` are provided in conjunction with the `schema` object, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +Serializing with `schema` is NOT RECOMMENDED for `in: cookie` parameters, `in: header` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: header` parameters where values might have non-URL-safe characters; see [Appendix D](#serializingHeadersAndCookies) for details. + Field Name | Type | Description ---|:---:|--- style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `query` - `form`; for `path` - `simple`; for `header` - `simple`; for `cookie` - `form`. @@ -1103,9 +1106,10 @@ Field Name | Type | Description See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. -###### Fixed Fields and considerations for use with `content` +###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameterContent) property can define the media type and schema of the parameter, as well as give examples of its use. +Using `content` with a `text/plain` media type is RECOMMENDED for `in: header` and `in: cookie` parameters where the `schema` strategy is not appropriate. Field Name | Type | Description ---|:---:|--- @@ -4133,4 +4137,23 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies +RFC6570's percent-encoding behavior is not always appropriate for `in: header` and `in: cookie` parameters. +In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. + +For both cookies ([RFC6265](https://www.rfc-editor.org/rfc/rfc6265)) and HTTP headers using the structured fields ([RFC8941](https://www.rfc-editor.org/rfc/rfc8941)) syntax, non-ASCII content is handled using base64 encoding (`format: byte`). +Note that the standard base64 encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. + +Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. +While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP field (header or trailer) parameters, these parameters appear after a `;` character. +With `style: simple`, that delimiter would itself be percent-encoded, violating the general HTTP field syntax. + +Using `style: form` with `in: cookie` is ambiguous for a single value, and incorrect for multiple values. +This is true whether the multiple values are the result of using `explode: true` or not. + +This style is specified to be equivalent to RFC6570 form expansion which includes the `?` character (see Appendix C for more details), which is not part of the cookie syntax. +However, examples of this style in past versions of this specification have not included the `?` prefix, suggesting that the comparison is not exact. +Because implementations that rely on an RFC6570 implementation and those that perform custom serialization based on the style example will produce different results, it is implementation-defined as to which of the two results is correct. + +For multiple values, `style: form` is always incorrect as name=value pairs in cookies are delimited by `; ` (a semicolon followed by a space character) rather than `&`. + ## Appendix E: Percent-Encoding and Form Media Types From 8c6215ede87f0a02d8794c6e32d9184b4e6a00ba Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 9 Jun 2024 10:16:49 -0700 Subject: [PATCH 12/61] Add Security Considerations (3.2.0 port of 3894) This adds the previously standalone security considerations document as a top-level section just before the appendices. --- versions/3.2.0.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 9c6c2a6175..55999ef51a 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3847,6 +3847,31 @@ Two examples of this: 1. The [Paths Object](#pathsObject) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#infoObject) which may contain additional information regarding authentication. 2. The [Path Item Object](#pathItemObject) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#pathsObject), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. +## Security Considerations + +### OpenAPI Document Formats + +OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their security considerations: +- [JSON](https://www.iana.org/assignments/media-types/application/json) +- [YAML](https://www.iana.org/assignments/media-types/application/yaml) +- [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) +- [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) + +### Tooling and Usage Scenarios + +In addition, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. + +### Security Schemes + +An OpenAPI document describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. + +### Handling External Resources + +OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. + +### Markdown and HTML Sanitization + +Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. ## Appendix A: Revision History From 5dc44710fe9f575d5d34a5cc87aa1bafad11ba25 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 14:04:59 -0700 Subject: [PATCH 13/61] Link to the Learn and Spec sites (3.2.0 port of 3861 1/11) Guide readers to supplemental documentation, examples, related specificatioins, and extension registries. These sites answer many questions that otherwise get raised as GitHub issues. --- versions/3.2.0.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 55999ef51a..0d06dc4120 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -12,6 +12,10 @@ The OpenAPI Specification (OAS) defines a standard, language-agnostic interface An OpenAPI definition can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. +For examples of OpenAPI usage and additional documentation, please visit [learn.openapis.org](https://learn.openapis.org/). + +For extension registries and other specifications published by the OpenAPI Initiative, please visit [spec.openapis.org](https://spec.openapis.org/) + ## Table of Contents From 63e2976919ddb1407813147386cc2f07251c1b9e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 14:10:42 -0700 Subject: [PATCH 14/61] Clarify "Schema" (3.2.0 port of 3861 2/11) --- versions/3.2.0.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0d06dc4120..9f792e5681 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -236,6 +236,11 @@ Unless specified otherwise, relative references are resolved using the URLs defi ### Schema +This section describes the structure of the OpenAPI Description format. +This text is the only normative description of the format. +A JSON Schema is hosted on [spec.openapis.org](https://spec.openapis.org) for informational purposes. +If the JSON Schema differs from this section, then this section MUST be considered authoritative. + In the following description, if a field is not explicitly **REQUIRED** or described with a MUST or SHALL, it can be considered OPTIONAL. #### OpenAPI Object From 103b74700adb6b4f0a83b64a6f1b6371ad6319ca Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 14:17:21 -0700 Subject: [PATCH 15/61] Global HTTP case-(in)sensitivity rule (3.2.0 port of 3861 3/11) --- versions/3.2.0.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 9f792e5681..5e2543adf3 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -103,6 +103,11 @@ Some examples of possible media type definitions: The HTTP Status Codes are used to indicate the status of the executed operation. The available status codes are defined by [RFC7231](https://tools.ietf.org/html/rfc7231#section-6) and registered status codes are listed in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). +##### HTTP and Case Sensitivity + +As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. + ##### Undefined and Implementation-Defined Behavior This specification deems certain situations to have either _undefined_ or _implementation-defined_ behavior. From 1384645eac421cb26c5bd3a05fdebc324bc6fb9f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 14:25:46 -0700 Subject: [PATCH 16/61] Improved description of XML examples (3.2.0 port of 3861 4/11) --- versions/3.2.0.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 5e2543adf3..0ed00bbaaa 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3249,7 +3249,8 @@ This object MAY be extended with [Specification Extensions](#specificationExtens ##### XML Object Examples -The examples of the XML object definitions are included inside a property definition of a [Schema Object](#schemaObject) with a sample of the XML representation of it. +Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schemaObject) that is omitted for brevity. +The JSON and YAML representations of the `properties` value are followed by an example XML representation produced for the single property shown. ###### No XML Element From a897f7b438a35ba12016c74ae30aa0145ed3dac5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 14:45:49 -0700 Subject: [PATCH 17/61] Clarify CommonMark extensibility. (3.2.0 port of 3861 5/11) --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0ed00bbaaa..bb9d569077 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -222,7 +222,7 @@ OAS < 3.1 | OAS 3.1+ | Comments ### Rich Text Formatting Throughout the specification `description` fields are noted as supporting CommonMark markdown formatting. -Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to ignore some CommonMark features to address security concerns. +Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to implement extensions on top of CommonMark 0.27, and MAY choose to ignore some CommonMark or extension features to address security concerns. ### Relative References in URIs From 009c5c922b1938682069d74d04132951cb11a319 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 27 May 2024 15:11:58 -0700 Subject: [PATCH 18/61] Add description to the Example Object (3.2.0 port of 3861 6/11) Co-authored-by: Lorna Jane Mitchell --- versions/3.2.0.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index bb9d569077..d7a02b1999 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2044,6 +2044,11 @@ transactionCallback: #### Example Object +An object grouping an internal or external example value with basic `summary` and `description` metadata. +This object is typically used in properties named `examples` (plural), and is a [referenceable](#referenceObject) alternative to older `example` (singular) fields that do not support referencing or metadata. + +Examples allow demonstration of the usage of properties, parameters and objects within OpenAPI. + ##### Fixed Fields Field Name | Type | Description ---|:---:|--- From 724071b1c1feebcdd429e888d1dc8b4e0c4bc7ff Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 3 Jun 2024 10:33:37 -0700 Subject: [PATCH 19/61] Mention the format registry in the data types section (3.2.0 port of 3861 7/11) Co-authored-by: Ralf Handl --- versions/3.2.0.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index d7a02b1999..e0424192ab 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -172,7 +172,9 @@ Models are defined using the [Schema Object](#schemaObject), which is a superset As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-7.3), data types can have an optional modifier property: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. -OAS defines additional formats to provide fine detail for primitive data types. +The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. + +Types that are not accompanied by a `format` property follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. The formats defined by the OAS are: From 89c1d21414e8e8c79e02ce46d302e7ae85bad0e7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 4 Jun 2024 08:28:05 -0700 Subject: [PATCH 20/61] Note extension registry in extensions section. (3.2.0 port of 3861 8/11) --- versions/3.2.0.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index e0424192ab..11cf34dc4d 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3853,9 +3853,14 @@ The extensions properties are implemented as patterned fields that are always pr Field Pattern | Type | Description ---|:---:|--- -^x- | Any | Allows extensions to the OpenAPI Schema. The field name MUST begin with `x-`, for example, `x-internal-id`. Field names beginning `x-oai-` and `x-oas-` are reserved for uses defined by the [OpenAPI Initiative](https://www.openapis.org/). The value can be `null`, a primitive, an array or an object. +^x- | Any | Allows extensions to the OpenAPI Schema. The field name MUST begin with `x-`, for example, `x-internal-id`. Field names beginning `x-oai-` and `x-oas-` are reserved for uses defined by the [OpenAPI Initiative](https://www.openapis.org/). The value can be any valid JSON format value (`null`, a primitive, an array or an object.) -The extensions may or may not be supported by the available tooling, but those may be extended as well to add requested support (if tools are internal or open-sourced). +The OpenAPI Initiative maintains several [extension registries](https://spec.openapis.org/registry/index.html), including registries for [individual extension keywords](https://spec.openapis.org/registry/extension/) and [extension keyword namespaces](https://spec.openapis.org/registry/namespace/). + +Extensions are one of the best ways to prove the viability of proposed additions to the specification. +It is therefore RECOMMENDED that implementations be designed for extensibility to support community experimentation. + +Support for any one extension is OPTIONAL, and support for one extension does not imply support for others. ### Security Filtering From 6e1b94cb92b5afad156f49bfb91c9df6d5b8552f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 5 Jun 2024 11:28:32 -0700 Subject: [PATCH 21/61] Warn of interop issues w/Markdown extensions (3.2.0 port of 3861 9/11) Thanks to @lornajane for the review feedback. --- versions/3.2.0.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 11cf34dc4d..d6470ba9f0 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -224,7 +224,11 @@ OAS < 3.1 | OAS 3.1+ | Comments ### Rich Text Formatting Throughout the specification `description` fields are noted as supporting CommonMark markdown formatting. -Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to implement extensions on top of CommonMark 0.27, and MAY choose to ignore some CommonMark or extension features to address security concerns. +Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to ignore some CommonMark or extension features to address security concerns. + +While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. +OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. + ### Relative References in URIs From 562bac0782bf825e16fb12aac289045f0ab7533d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 5 Jun 2024 11:41:16 -0700 Subject: [PATCH 22/61] Clarify version (Info Object) further (3.2.0 port of 3861 10/11) --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index d6470ba9f0..7ef4d00a47 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -291,7 +291,7 @@ Field Name | Type | Description termsOfService | `string` | A URL to the Terms of Service for the API. This MUST be in the form of a URL. contact | [Contact Object](#contactObject) | The contact information for the exposed API. license | [License Object](#licenseObject) | The license information for the exposed API. -version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oasVersion) or the API implementation version). +version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oasVersion) or the version of API being described). This object MAY be extended with [Specification Extensions](#specificationExtensions). From d0cf4fa80236a4e3d7190c79148b5d5b5908bfd0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 8 Jun 2024 13:45:01 -0700 Subject: [PATCH 23/61] Clarify confusing use of YAML "JSON Schema" (3.2.0 port of 3861 11/11) When we mention YAML's "Failsafe schema" we give it a lower-case "schem", as the YAML documentatio does. We also prefix it with "YAML". However, we capitalize "Schema" in "JSON Schema ruleset", which (given how much JSON Schema is used in the OAS) is a jarring overlap with "JSON Schema". This change aligns "YAML JSON schema ruleset" with "YAML Failsafe ruleset" and explicitly calls out that it is unrelated to JSON Schema. --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 7ef4d00a47..1cfc043110 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -151,7 +151,7 @@ Patterned fields MUST have unique names within the containing object. In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with some additional constraints: -- Tags MUST be limited to those allowed by the [JSON Schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231). +- Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [JSON Schema](https://tools.ietf.org/html/draft-wright-json-schema-00). - Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). **Note:** While APIs may be defined by OpenAPI documents in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. From e614e9a077e53089be93c42b063656550e3b2508 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 25 May 2024 15:26:11 -0700 Subject: [PATCH 24/61] Encoding Object content and header clarifications (3.2.0 port of 3857 1/4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Encoding Object's `contentType` field takes a comma-separated list of either regular or wildcared media types. These are the "two types" mentioned in the previous wording – "two" here did *not* refer to a limit on the number of entries in the list. These are not exactly media-type or media-range values, as both of those include parameters. This change also moves the hard-to-follow list of default values out of the individual field cell and into its own table. It takes `Content-Disposition` out of the header field's cell and instead explains limitations on header usage, and explains how `Content-Disposition` is used for encoding. This explanation includes a suggestion on how other `multipart` formats could be used with an Encoding Object, since their unnamed parts otherwise cannot be supported. Finally, it clarifies the interaction between `contentType` and the three fields imported from the Parameter Object, by aligning the recommended (but not, for compatibility reasons, required) behavior with guidance added in 3.1.0. --- versions/3.2.0.md | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 1cfc043110..e4e98c5f1e 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1673,19 +1673,54 @@ An `encoding` attribute is introduced to give you control over the serialization A single encoding definition applied to a single schema property. See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. +Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string paramter names. +In both cases, their order is implementation-defined. + ##### Fixed Fields Field Name | Type | Description ---|:---:|--- -contentType | `string` | The Content-Type for encoding a specific property. Default value depends on the property type: for `object` - `application/json`; for `array` – the default is defined based on the inner type; for all other cases the default is `application/octet-stream`. The value can be a specific media type (e.g. `application/json`), a wildcard media type (e.g. `image/*`), or a comma-separated list of the two types. -headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers, for example `Content-Disposition`. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. +contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. +headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. This object MAY be extended with [Specification Extensions](#specificationExtensions). +The default values for `contentType` are as follows: + +Property Type | Property Format | Default `contentType` +------------- | --------------- | --------------------- +`string` | `binary` | `application/octet-stream` +`string`, `number`, `integer`, or `boolean` | _n/a_ | `text/plain` +`object` | _n/a_ | `application/json` +`array` | _n/a_ | according to the `type` and `format` of the `items` schema + See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. +###### Encoding `multipart` Media Types + +The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). +Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +See [RFC7578 §5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +Various other `multipart` types, most notable `multipart/mixed` ([RFC2046 §5.1.3](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. +It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. + +Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). + +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. +Using `format: byte` for a multipart field is equivalent to setting `Content-Transfer-Encoding: base64`. +If `format: byte` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. + +###### Encoding the `application/x-www-form-urlencoded` Media Type + +The role of `contentType` with `application/x-www-form-urlencoded` request bodies was not described in detail in version 3.0.3 and earlier of this specification. +To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of `style`, `explode`, or `allowReserved` are present with an explicit values, that the value of `contentType`, whether it is explicitly defined or has the default value, be ignored. +Likewise, if all three of those fields are absent, it is RECOMMENDED that they be ignored, and that encoding be based on `contentType` alone. + +This makes the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value equivalent to using `schema` with `in: query` Parameter Objects, and their absence the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. + ##### Encoding Object Example `multipart/form-data` allows for binary parts: From 359401bd40989d14ffa7c34c96d6bf294ac3961b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 5 Jun 2024 11:19:01 -0700 Subject: [PATCH 25/61] Reword default handling (3.2.0 port of 3857 2/4) Thanks to @notEthan for the comments! --- versions/3.2.0.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index e4e98c5f1e..f59c605928 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1716,8 +1716,15 @@ If `format: byte` is used along with setting a different `Content-Transfer-Encod ###### Encoding the `application/x-www-form-urlencoded` Media Type The role of `contentType` with `application/x-www-form-urlencoded` request bodies was not described in detail in version 3.0.3 and earlier of this specification. -To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of `style`, `explode`, or `allowReserved` are present with an explicit values, that the value of `contentType`, whether it is explicitly defined or has the default value, be ignored. -Likewise, if all three of those fields are absent, it is RECOMMENDED that they be ignored, and that encoding be based on `contentType` alone. +To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of `style`, `explode`, or `allowReserved` are present with an explicit value: + +* The value of `contentType`, whether it is explicitly defined or has the default value, is to be ignored +* If any of `style`, `explode`, or `allowReserved` are _not_ present with explicit values, then they are to be treated as if they were present with their default values + +However, if all three of `style`, `explode`, and `allowReserved` fields are absent, it is RECOMMENDED that: + +* All three keywords are to be entirely ignored, rather than treated as having their default values +* Encoding is to be based on `contentType` alone, whether it is present with an explicit value or absent and treated as having its default value This makes the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value equivalent to using `schema` with `in: query` Parameter Objects, and their absence the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. From 2a2d39c55281554ee36e040b44e3139d7198add6 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 10 Jun 2024 16:25:51 -0700 Subject: [PATCH 26/61] Split up Encoding fields like Param/Header (3.2.0 port of 3857 3/4) This splits the Encoding Object's fixed fields table to make the usage more clear, and closer to how it is presented for the Parameter and Header Objects --- versions/3.2.0.md | 46 ++++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index f59c605928..43ac0c5dc6 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1676,14 +1676,14 @@ See [Appendix B](#dataTypeConversion) for a discussion of converting values of v Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string paramter names. In both cases, their order is implementation-defined. -##### Fixed Fields +###### Common Fixed Fields + +These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. + Field Name | Type | Description ---|:---:|--- contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. -style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -1696,24 +1696,15 @@ Property Type | Property Format | Default `contentType` `object` | _n/a_ | `application/json` `array` | _n/a_ | according to the `type` and `format` of the `items` schema -See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. +##### Fixed Fields for RFC6570-style Serialization -###### Encoding `multipart` Media Types - -The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). -Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -See [RFC7578 §5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. - -Various other `multipart` types, most notable `multipart/mixed` ([RFC2046 §5.1.3](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. -It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. - -Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). - -Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -Using `format: byte` for a multipart field is equivalent to setting `Content-Transfer-Encoding: base64`. -If `format: byte` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. +Field Name | Type | Description +---|:---:|--- +style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -###### Encoding the `application/x-www-form-urlencoded` Media Type +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. The role of `contentType` with `application/x-www-form-urlencoded` request bodies was not described in detail in version 3.0.3 and earlier of this specification. To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of `style`, `explode`, or `allowReserved` are present with an explicit value: @@ -1728,6 +1719,21 @@ However, if all three of `style`, `explode`, and `allowReserved` fields are abse This makes the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value equivalent to using `schema` with `in: query` Parameter Objects, and their absence the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. +###### Encoding `multipart` Media Types + +The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). +Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +See [RFC7578 §5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +Various other `multipart` types, most notable `multipart/mixed` ([RFC2046 §5.1.3](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. +It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. + +Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). + +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. +Using `format: byte` for a multipart field is equivalent to setting `Content-Transfer-Encoding: base64`. +If `format: byte` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. + ##### Encoding Object Example `multipart/form-data` allows for binary parts: From ad1f495eaf10c3f81293fbce7954890ca6aedaed Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 11 Jun 2024 11:21:09 -0700 Subject: [PATCH 27/61] Discuss null values and contentType (3.2.0 port of 3857 4/4) --- versions/3.2.0.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 43ac0c5dc6..29c0576e1f 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1687,15 +1687,20 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). -The default values for `contentType` are as follows: +The default values for `contentType` are as follows, where an _n/a_ in the `format` column means that the presence or value of `format` is irrelevant: -Property Type | Property Format | Default `contentType` +Property `type` | Property `format` | Default `contentType` ------------- | --------------- | --------------------- `string` | `binary` | `application/octet-stream` -`string`, `number`, `integer`, or `boolean` | _n/a_ | `text/plain` +`string` | _none, or any except `binary`_ | `text/plain` +`number`, `integer`, or `boolean` | _n/a_ | `text/plain` `object` | _n/a_ | `application/json` `array` | _n/a_ | according to the `type` and `format` of the `items` schema +Determining how to handle `null` values if `nullable: true` is present depends on how `null` values are being serialized. +If `null` values are entirely omitted, then the `contentType` is irrelevant. +See [Appendix B](#dataTypeConversion) for a discussion of data type conversion options. + ##### Fixed Fields for RFC6570-style Serialization Field Name | Type | Description From 2fb7835fecc64cc78cefc9c61d38e004e3dbb950 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 25 May 2024 15:50:29 -0700 Subject: [PATCH 28/61] Appendix for percent-encoding concerns (3.2.0 port of 3859 1/3) Percent-encoding is a minefield, although in practice it mostly works. This appendix attempts to acknowledge the concerns and then define enough terminology and link to enough other specifications that interested readers will be able to research further details. --- versions/3.2.0.md | 102 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 98 insertions(+), 4 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 29c0576e1f..9df5ef1e86 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1079,6 +1079,8 @@ Describes a single operation parameter. A unique parameter is defined by a combination of a [name](#parameterName) and [location](#parameterIn). +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns, including interactions with the `application/x-www-form-urlencoded` query string format. + ##### Parameter Locations There are four possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#pathTemplating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. @@ -1149,7 +1151,7 @@ spaceDelimited | `array`, `object` | `query` | Space separated array values or o pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. deepObject | `object` | `query` | Provides a simple way of rendering nested objects using form parameters. -The behavior of applying a style that uses a delimiter to data containing that delimiter is not defined, and is therefore NOT RECOMMENDED. To ensure interoperability, any such delimiter characters need to be escaped prior to serializing with the style, and unescaped after parsing. In the case of `spaceDelimited`, care must be taken to avoid confusing interactions with URL parameter encoding of spaces. +See [Appendix E](#percentEncodingAndFormMediaTypes) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. ##### Style Examples @@ -1160,7 +1162,8 @@ Assume a parameter named `color` has one of the following values: array -> ["blue","black","brown"] object -> { "R": 100, "G": 200, "B": 150 } ``` -The following table shows examples of rendering differences for each value. +The following table shows examples of the different serializations for each value. +The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#percentEncodingAndFormMediaTypes) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. [`style`](#styleValues) | `explode` | `empty` | `string` | `array` | `object` ----------- | ------ | -------- | -------- | -------- | ------- @@ -1173,8 +1176,8 @@ simple | true | n/a | blue | blue,black,brown | R=100,G=200,B=150 form | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 form | true | color= | color=blue | color=blue&color=black&color=brown | R=100&G=200&B=150 spaceDelimited | false | n/a | n/a | color=blue%20black%20brown | color=R%20100%20G%20200%20B%20150 -pipeDelimited | false | n/a | n/a | color=blue\|black\|brown | color=R\|100\|G\|200\|B\|150 -deepObject | true | n/a | n/a | n/a | color[R]=100&color[G]=200&color[B]=150 +pipeDelimited | false | n/a | n/a | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 +deepObject | true | n/a | n/a | n/a | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -1616,6 +1619,8 @@ Here is the `id` parameter (without `address`) serialized as `application/json` id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ``` +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. + ##### Special Considerations for `multipart` Content It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. @@ -1676,6 +1681,8 @@ See [Appendix B](#dataTypeConversion) for a discussion of converting values of v Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string paramter names. In both cases, their order is implementation-defined. +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. + ###### Common Fixed Fields These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. @@ -4266,3 +4273,90 @@ Because implementations that rely on an RFC6570 implementation and those that pe For multiple values, `style: form` is always incorrect as name=value pairs in cookies are delimited by `; ` (a semicolon followed by a space character) rather than `&`. ## Appendix E: Percent-Encoding and Form Media Types + +_**NOTE:** In this section, the `application/x-www-form-urlencoded` and `multipart/form-data` media types are abbreviated as `form-urlencoded` and `form-data`, respectively, for readability._ + +Percent-encoding is used in URIs and media types that derive their syntax from URIs. +This process is concerned with three sets of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: + +* _unreserved_ characters do not need to be percent-encoded; while it is safe to percent-encode them, doing so produces a URI that is [not normalized](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) +* _reserved_ characters either have special behavior in the URI syntax (such as delimiting components) or are reserved for other specifications that need to define special behavior (e.g. `form-urlencoded` defines special behavior for `=`, `&`, and `+`) +* _unsafe_ characters are known to cause problems when parsing URIs in certain environments + +Unless otherwise specified, this section uses RFC3986's definition of [reserved](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) and [unreserved](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3), and defines the unsafe set as all characters not included in either of those sets. + +### Percent-Encoding and `form-urlencoded` + +Each URI component (such as the query string) considers some of the reserved characters to be unsafe, either because they serve as delimiters between the components (e.g. `#`), or (in the case of `[` and `]`) were historically considered globally unsafe but were later given reserved status for limited purposes. + +Reserved characters with no special meaning defined within a component can be left un-percent encoded. +However, other specifications can define special meanings, requiring percent-encoding for those characters outside of the additional special meanings. + +The `form-urlencoded` media type defines special meanings for `=` and `&` as delimiters, and `+` as the replacement for the space character (instead of its percent-encoded form of `%20`). +This means that while these three characters are reserved-but-allowed in query strings by RFC3986, they must be percent-encoded in `form-urlencoded` query strings except when used for their `form-urlencoded` purposes; see [Appendix C](#usingRFC6570Implementations) for an example of handling `+` in form values. + +### Percent-Encoding and `form-data` + +[RFC7578 §2](https://datatracker.ietf.org/doc/html/rfc7578#section-2) suggests RFC3986-based percent-encoding as a mechanism to keep text-based per-part header data such as file names within the ASCII character set. +This suggestion was not part of older (pre-2015) specifications for `form-data`, so care must be taken to ensure interoperability. + +The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding is not needed and is likely to cause interoperability problems unless the `Content-Type` of the part is defined to require it. + +### Generating and Validating URIs and `form-urlencoded` Strings + +URI percent encoding and the `form-urlencoded` media type have complex specification histories spanning multiple revisions and, in some cases, conflicting claims of ownership by different standards bodies. +Unfortunately, these specifications each define slightly different percent-encoding rules, which need to be taken into account if the URIs or `form-urlencoded` message bodies will be subject to strict validation. +(Note that many URI parsers do not perform validation by default.) + +This specification normatively cites the following relevant standards: + +Specification | Date | OAS Usage | Percent-Encoding | Notes +------------- | ---- | --------- | ----- | ----- +[RFC3986 URI Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986) | 01/2005 | URI/URL syntax | RFC3986 | obsoletes RFC1738, RFC2396 +[RFC6570 URI Template](https://datatracker.ietf.org/doc/html/rfc6570) | 03/2012 | style-based serialization | RFC3986 | does not use `+` for form‑urlencoded +[RFC1866 §8.2.1 form‑urlencoded](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | RFC1738 | obsoleted by [HTML 4.01 §17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [WHATWG URL §5](https://url.spec.whatwg.org/#urlencoded-serializing) + +Style-based serialization is used in the [Parameter Object](#parameterObject) when `schema` is present, and in the [Encoding Object](#encodingObject) when at least one of `style`, `explode`, or `allowReserved` is present. +See [Appendix C](#usingRFC6570Implementations) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. + +Content-based serialization is defined by the [Media Type Object](#mediaTypeObject), and used with the [Parameter Object](#parameterObject) when the `content` field is present, and with the [Encoding Object](#encodingObject) based on the `contentType` field when the style fields listed in the previous section are absent. +Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. + +Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. + +#### Interoperability with Historical Specifications + +In most cases, generating query strings in strict compliance with RFC3986 is sufficient to pass validation (including JSON Schema's `format: uri` and `format: uri-reference`), but some `form-urlencoded` implementations still expect the slightly more restrictive RFC1738 rules to be used. + +Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. + +#### Interoperability with Web Browser Environments + +WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-working-on) standards group that has defined a "URL Living Standard" for parsing and serializing URLs in a browser context, including parsing and serializing `form-urlencoded` data. +WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than RFC1738) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that RFC3986 forbids. + +Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. +However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference`. + +### Decoding URIs and `form-urlencoded` Strings + +The percent-decoding algorithm does not care which characters were or were not percent-decoded, which means that URIs percent-encoded according to any specification will be decoded correctly. + +Similarly, all `form-urlencoded` decoding algorithms simply add `+`-for-space handling to the percent-decoding algorithm, and will work regardless of the encoding specification used. + +However, care must be taken to use `form-urlencoded` decoding if `+` represents a space, and to use regular percent-decoding if `+` represents itself as a literal value. + +### Percent-Encoding and Illegal or Reserved Delimiters + +The `[` and `]`, `|`, and space characters, which are used as delimiters for the `deepObject`, `pipeDelimited`, and `spaceDelimited` styles, respectively, all MUST be percent-encoded to comply with RFC3986. +This requires users to pre-encode the character(s) in some other way in parameter names and values to distinguish them from the delimiter usage when using one of these styles. + +The space character is always illegal and encoded in some way by all implementations of all versions of the relevant standards. +While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result. + +Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties, and WHATWG's generic query string rules do not require percent-encoding them. +Code that relies on leaving these delimiters unencoded, while using regular percent-encoding for them within names and values, is not guaranteed to be interoperable across all implementations. + +For maximum interoperability, it is RECOMMENDED to either define and document an additional escape convention while percent-encoding the delimiters for these styles, or to avoid these styles entirely. +The exact method of additional encoding/escaping is left to the API designer, and is expected to be performed before serialization and encoding described in this specification, and reversed after this specification's encoding and serialization steps are reversed. +This keeps it outside of the processes governed by this specification. From 9ecd6b24de35c8e3ef515c90f7deb2f3d4262db6 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 8 Jun 2024 15:43:46 -0700 Subject: [PATCH 29/61] Further clarify style+explode examples (3.2.0 port of 3859 2/3) This aligns all examples with RFC6570 operator prefixing behavior, which was previously only shown for `matrix` and `label`. The non-RFC6570 styles (`spaceDelimited`, `pipeDelimited`, and `deepObject`) are treated as analogues of `form` and therefore prefixed with a `?`. The lack of suitablity of this for cookie parameters has been addressed with an appendix in another change, and the appendix has been stubbed out here to ensure that the link is valid. Switch the "empty" column heading to "undefined" to align with RFC6570 and make clear that it is not about `allowEmptyValue` --- versions/3.2.0.md | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 9df5ef1e86..6b41c0e412 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1094,6 +1094,8 @@ The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a `content` field or a `schema` field, but not both. See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. +This object MAY be extended with [Specification Extensions](#specificationExtensions). + ###### Common Fixed Fields These fields MAY be used with either `content` or `schema`. @@ -1105,7 +1107,7 @@ Field Name | Type | Description description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameterIn) is `"path"`, this property is **REQUIRED** and its value MUST be `true`. Otherwise, the property MAY be included and its default value is `false`. deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. - allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameterStyle) is used, and if behavior is `n/a` (cannot be serialized), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schemaObject) are implementation-defined. This field is valid only for `query` parameters. Use of this property is NOT RECOMMENDED, and it is likely to be removed in a later revision. + allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameterStyle) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schemaObject) are implementation-defined. This field is valid only for `query` parameters. Use of this property is NOT RECOMMENDED, and it is likely to be removed in a later revision. Note that while `"Cookie"` as a `name` is not forbidden with `in: header`, the effect of defining a cookie parameter that way is undefined; use `in: cookie` instead. @@ -1120,7 +1122,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: cookie` parameters, `in: h Field Name | Type | Description ---|:---:|--- style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `query` - `form`; for `path` - `simple`; for `header` - `simple`; for `cookie` - `form`. -explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. When [`style`](#parameterStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. +explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. When [`style`](#parameterStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. This property only applies to parameters with an `in` value of `query`. The default value is `false`. schema | [Schema Object](#schemaObject) | The schema defining the type used for the parameter. example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). @@ -1162,8 +1164,15 @@ Assume a parameter named `color` has one of the following values: array -> ["blue","black","brown"] object -> { "R": 100, "G": 200, "B": 150 } ``` -The following table shows examples of the different serializations for each value. -The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#percentEncodingAndFormMediaTypes) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. + +The following table shows examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. + +* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field +* The behavior of combinations marked _n/a_ is undefined +* The `undefined` replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570 §2.3](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, each example is shown prefixed with `?` as if it were the only query parameter; see [Appendix C](#usingRFC6570Implementations) for more information on constructing query strings from multiple parameters, and [Appendix D](#serializingHeadersAndCookies) for warnings regarding `form` and cookie parameters +* Note that the `?` prefix is not appropriate for serializing `application/x-www-form-urlencoded` HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the [Encoding Object](#encodingObject) for more information +* The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#percentEncodingAndFormMediaTypes) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. [`style`](#styleValues) | `explode` | `empty` | `string` | `array` | `object` ----------- | ------ | -------- | -------- | -------- | ------- @@ -1171,15 +1180,16 @@ matrix | false | ;color | ;color=blue | ;color=blue,black,brown | ;color=R,100,G matrix | true | ;color | ;color=blue | ;color=blue;color=black;color=brown | ;R=100;G=200;B=150 label | false | . | .blue | .blue.black.brown | .R.100.G.200.B.150 label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 -simple | false | n/a | blue | blue,black,brown | R,100,G,200,B,150 -simple | true | n/a | blue | blue,black,brown | R=100,G=200,B=150 -form | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 -form | true | color= | color=blue | color=blue&color=black&color=brown | R=100&G=200&B=150 -spaceDelimited | false | n/a | n/a | color=blue%20black%20brown | color=R%20100%20G%20200%20B%20150 -pipeDelimited | false | n/a | n/a | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 -deepObject | true | n/a | n/a | n/a | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 - -This object MAY be extended with [Specification Extensions](#specificationExtensions). +simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 +simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 +form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 +form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 +spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 +spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ +pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 +pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ +deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ +deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 ##### Parameter Object Examples @@ -1712,8 +1722,8 @@ See [Appendix B](#dataTypeConversion) for a discussion of data type conversion o Field Name | Type | Description ---|:---:|--- -style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` using in query strings is not used in `applcation/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. From f21b5796e6685c9eebae98b224f46b8eb8d96cda Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 10 Jun 2024 15:40:42 -0700 Subject: [PATCH 30/61] Update Header for changes to copied fields (3.2.0 port of 3859 3/3, 3911 2/2) --- versions/3.2.0.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 6b41c0e412..e54ec45d65 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -2492,13 +2492,16 @@ When `example` or `examples` are provided in conjunction with the `schema` objec Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#serializingHeadersAndCookies) for details. +When `example` or `examples` are provided in conjunction with the `schema` object, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. + Field Name | Type | Description ---|:---:|--- style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `simple`. explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this property has no effect. The default value is `false`. schema | [Schema Object](#schemaObject) \| [Reference Object](#referenceObject) | The schema defining the type used for the header. -example | Any | Example of the header's potential value. The example SHOULD match the specified schema and encoding properties if present. The `example` field is mutually exclusive of the `examples` field. Furthermore, if referencing a `schema` that contains an example, the `example` value SHALL _override_ the example provided by the schema. To represent examples of media types that cannot naturally be represented in JSON or YAML, a string value can contain the example with escaping where necessary. -examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the header's potential value. Each example SHOULD contain a value in the correct format as specified in the header encoding. The `examples` field is mutually exclusive of the `example` field. Furthermore, if referencing a `schema` that contains an example, the `examples` value SHALL _override_ the example provided by the schema. +example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). +examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. From c8c48909077672b2da074d20a3c9d5c8dd10e036 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 09:44:24 -0700 Subject: [PATCH 31/61] Include Header Object in data serialization list (3.2.0 port of 3917) The PR adding Appendix B pre-dated giving the Header Object its own field tables. This adds "Header Object" to the list of relevant Objects along with the Paramter Object and the Encoding Object. --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index e54ec45d65..62fdfe7196 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -4004,7 +4004,7 @@ Serializing typed data to plain text, which can occur in `text/plain` message bo Schema Objects validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-wright-json-schema-00#section-4.2), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. Notably, integers are not a distinct type from other numbers, with `type: integer` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. -The [Parameter Object](#parameterObject) and [Encoding Object](#encodingObject) offer features to control how to arrange values from array or object types. +The [Parameter Object](#parameterObject), [Header Object](#headerObject) and [Encoding Object](#encodingObject) offer features to control how to arrange values from array or object types. They can also be used to control how strings are further encoded to avoid reserved or illegal characters. However, there is no general-purpose specification for converting schema-validated non-UTF-8 primitive data types (or entire arrays or objects) to strings. From 5e81bd6a77ed89d25614378aa226b3c977699853 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 9 Jun 2024 10:55:39 -0700 Subject: [PATCH 32/61] Fix XML namespace syntax (3.2.0 port of 3905) The XML Object's namespace field was changed from "URL" to "absolute URI" because relative references in a namespace are deprecated by XML, and the base URI to use for resolving them in the context of an OpenAPI Description is unclear. However, XML namespaces can include fragments, and the correct term is "non-relative URI" rather than "absolute URI" which forbids fragments. This change includes additional guidance on how XML usage and the requirements of this specification do not quite align. --- versions/3.2.0.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 62fdfe7196..601d5a8bdc 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3324,13 +3324,19 @@ See examples for expected behavior. Field Name | Type | Description ---|:---:|--- name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `array` (outside the `items`), it will affect the wrapping element and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. -namespace | `string` | The URI of the namespace definition. This MUST be in the form of an absolute URI. +namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. prefix | `string` | The prefix to be used for the [name](#xmlName). attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `array` (outside the `items`). This object MAY be extended with [Specification Extensions](#specificationExtensions). +The `namespace` keyword is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: + +* Version 3.0.3 and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. +* XML allows but discourages relative URI-references, while this specification outright forbids them. +* XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. + ##### XML Object Examples Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schemaObject) that is omitted for brevity. From 0e388ab8d662358561b9c951fa5dcf2f4b3354a2 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 13 Jun 2024 12:22:08 -0700 Subject: [PATCH 33/61] Clarify discriminator non-impact on validation (3.2.0 port of 3907) Be very explicit that discriminator MUST NOT change the validation outcome, and explain the implication for the "allOf" use case. --- versions/3.2.0.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 601d5a8bdc..d41fdc751d 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3167,6 +3167,8 @@ When request bodies or response payloads may be one of a number of different sch This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. +Note that `discriminator` MUST NOT change the validation outcome of the schema. + ##### Fixed Fields Field Name | Type | Description ---|:---:|--- @@ -3177,9 +3179,14 @@ This object MAY be extended with [Specification Extensions](#specificationExtens ##### Conditions for Using the Discriminator Object The Discriminator Object is legal only when using one of the composite keywords `oneOf`, `anyOf`, `allOf`. + In both the `oneOf` and `anyOf` use cases, where those keywords are adjacent to `discriminator`, all possible schemas MUST be listed explicitly. + To avoid redundancy, the discriminator MAY be added to a parent schema definition, and all schemas building on the parent schema via an `allOf` construct may be used as an alternate schema. +The `allOf` form of `discriminator` is _only_ useful for non-validation use cases; validation with the parent schema with this form of `discriminator` _does not_ perform a search for child schemas or use them in validation in any way. +This is because `discriminator` cannot change the validation outcome, and no standard JSON Schema keyword connects the parent schema to the child schemas. + The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminator` that is not described above is undefined. ##### Options for Mapping Values to Schemas From 6021d22c3ea3e9e7d38fcbd95b8f23770264e39b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 17 Jun 2024 11:36:56 -0700 Subject: [PATCH 34/61] Consisent x- Param/Encoding/Header wording (3.2.0 port of 3919) It was a bit challenging to figure out where to put the wording about allowing extension parameters when there are multiple fixed fields tables, each in their own subsection. For the Parameter Object (the only one with multiple tables in past releases), it had been after the last table, but that got further and further away from what felt like the main part of the Object description. I thought I had put it consistently after the initial "Common Fixed Fields" table, but I put it even before that in one place (which we don't do anywhere), and I forgot to include it in the Header Object at all. This change puts it after the Common Fixed Fields table for all three, which means that for all Objects it is immediately after the first Fixed Fields table. --- versions/3.2.0.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index d41fdc751d..7226b8eb0b 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1094,8 +1094,6 @@ The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a `content` field or a `schema` field, but not both. See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. -This object MAY be extended with [Specification Extensions](#specificationExtensions). - ###### Common Fixed Fields These fields MAY be used with either `content` or `schema`. @@ -1109,6 +1107,8 @@ Field Name | Type | Description deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameterStyle) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schemaObject) are implementation-defined. This field is valid only for `query` parameters. Use of this property is NOT RECOMMENDED, and it is likely to be removed in a later revision. +This object MAY be extended with [Specification Extensions](#specificationExtensions). + Note that while `"Cookie"` as a `name` is not forbidden with `in: header`, the effect of defining a cookie parameter that way is undefined; use `in: cookie` instead. ###### Fixed Fields for use with `schema` @@ -2485,6 +2485,8 @@ Field Name | Type | Description required | `boolean` | Determines whether this header is mandatory. The default value is `false`. deprecated | `boolean` | Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is `false`. +This object MAY be extended with [Specification Extensions](#specificationExtensions). + ##### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#headerSchema) and [`style`](#headerStyle) can describe the structure and syntax of the header. From 1acd4fa7d5d444431fd7c0d86dae40332d45cd15 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 16:51:23 -0700 Subject: [PATCH 35/61] Minor editiorial and link target fixes (3.2.0 port of 3920) * Fix a copy-paste error that broke a link in an appendix * Fix a sentence that just kind of... wandered off * Prevent line breaks after the `?` in the form examples --- versions/3.2.0.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 7226b8eb0b..1baf77aa4a 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1182,14 +1182,14 @@ label | false | . | .blue | .blue.black.brown | .R.100.G.200.B.150 label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 -form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 -form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 -spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 +form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 +form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 +spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ -pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 +pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ -deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 +deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 ##### Parameter Object Examples @@ -3945,7 +3945,7 @@ The extensions properties are implemented as patterned fields that are always pr Field Pattern | Type | Description ---|:---:|--- -^x- | Any | Allows extensions to the OpenAPI Schema. The field name MUST begin with `x-`, for example, `x-internal-id`. Field names beginning `x-oai-` and `x-oas-` are reserved for uses defined by the [OpenAPI Initiative](https://www.openapis.org/). The value can be any valid JSON format value (`null`, a primitive, an array or an object.) +^x- | Any | Allows extensions to the OpenAPI Schema. The field name MUST begin with `x-`, for example, `x-internal-id`. Field names beginning `x-oai-` and `x-oas-` are reserved for uses defined by the [OpenAPI Initiative](https://www.openapis.org/). The value can be any valid JSON value (`null`, a primitive, an array or an object.) The OpenAPI Initiative maintains several [extension registries](https://spec.openapis.org/registry/index.html), including registries for [individual extension keywords](https://spec.openapis.org/registry/extension/) and [extension keyword namespaces](https://spec.openapis.org/registry/namespace/). @@ -4179,7 +4179,7 @@ parameters: We can't combine the `?` and `+` RFC6570 prefixes, and there's no way with RFC6570 to replace the `,` separator with a space character. So we need to restructure the data to fit a manually constructed URI Template that passes all of the pieces through the right sort of expansion. -Here is one such template, using a made-up convention of `words.0` for the first entry in the words value, `words.1` for the second. +Here is one such template, using a made-up convention of `words.0` for the first entry in the words value, `words.1` for the second, and `words.2` for the third: ```urlencoded ?a={+a}&b={+b}&c={+c}&words={words.0} {words.1} {words.2} @@ -4192,7 +4192,7 @@ We'll also need to pre-process the values for `formulas` because while `/` and m Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. -See also [Appendix E](#to indicate name hierarchy in substructures) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. +See also [Appendix E](#percentEncodingAndFormMediaTypes) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): From e61999d411d966ce4de1df268db17b8e8acff34d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 13:54:26 -0700 Subject: [PATCH 36/61] Remove 3.0-specific encoding guidance (3.2.0 port of 3.1.1 adjustment to 3857) These lines were added to clarify in 3.0 what was already fixed properly in 3.1. Remove most of them, but keep (and reword) the explanation of how they correlate with how the Parameter Object fields are used. --- versions/3.2.0.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 1baf77aa4a..42bfe93b76 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1728,18 +1728,8 @@ Field Name | Type | Description See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. -The role of `contentType` with `application/x-www-form-urlencoded` request bodies was not described in detail in version 3.0.3 and earlier of this specification. -To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of `style`, `explode`, or `allowReserved` are present with an explicit value: - -* The value of `contentType`, whether it is explicitly defined or has the default value, is to be ignored -* If any of `style`, `explode`, or `allowReserved` are _not_ present with explicit values, then they are to be treated as if they were present with their default values - -However, if all three of `style`, `explode`, and `allowReserved` fields are absent, it is RECOMMENDED that: - -* All three keywords are to be entirely ignored, rather than treated as having their default values -* Encoding is to be based on `contentType` alone, whether it is present with an explicit value or absent and treated as having its default value - -This makes the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value equivalent to using `schema` with `in: query` Parameter Objects, and their absence the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. +Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: query` Parameter Objects. +The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. ###### Encoding `multipart` Media Types From b7b6ac4f0f8447f69f643d27d011fa84c3a52808 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 09:38:14 -0700 Subject: [PATCH 37/61] Note RFC6570 issues with form-data (3.2.0 port of 3.1.1 add-on to 3818) OAS 3.1 allows using RFC6570-style serialization with `multipart/form-data`, but this can interact with the requirements of the media type in unexpected and arguably incorrect ways. --- versions/3.2.0.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 42bfe93b76..61450752f1 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -4043,6 +4043,10 @@ Implementations of this specification MAY use an implementation of RFC6570 to pe Note that when using `style: form` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. +When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter to the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used. +Note that while [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578) allows using RFC3986 percent-encoding in "file names", it does not otherwise address the use of percent-encoding within the format. +RFC7578 discusses character set and encoding issues for `multipart/form-data` in detail, and it is RECOMMENDED that OpenAPI Description authors read this guidance carefully before deciding to use RFC6570-based serialization with this media type. + Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. From c0e162519e0f6a1fa58abb119acdf28f17b0e832 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 13:56:06 -0700 Subject: [PATCH 38/61] Note issues with encoding form-data (3.2.0 port of 3.1.1 add-on to 3857) In the link to Appendix C, call out that multipart/form-data encoding with `style`, etc. can have problematic interactions with `multipart/form-data`. --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 61450752f1..ab365d36af 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1726,7 +1726,7 @@ Field Name | Type | Description explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: query` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. From 6a829c47d444f8e46ae7a89e063fb8c9463fb8c0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 15 Jun 2024 16:24:16 -0700 Subject: [PATCH 39/61] Migrate 3.0 format guidance to content* (3.2.0 port of 3.1.1 add-on) Various updates ported over from 3.0.4 mention using the `format` values `byte` or `binary`, which have been replaced by the `contentMediaType` and `contentEncoding` keywords. This change updates those ported chagnes accordingly. --- versions/3.2.0.md | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index ab365d36af..e55b2720ac 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1664,17 +1664,20 @@ requestBody: type: object properties: {} profileImage: - # Content-Type for application-level encoded resource is `text/plain` + # default Content-Type for properties with type string and a contentEncoding + # is `application/octet-stream`, so `image/png` must be set using contentMediaType type: string contentMediaType: image/png contentEncoding: base64 children: - # default Content-Type for arrays is based on the _inner_ type (`text/plain` here) + # default Content-Type for arrays is based on the items subschema type, which + # is a string, producing a default of `text/plain` type: array items: type: string addresses: - # default Content-Type for arrays is based on the _inner_ type (object shown, so `application/json` in this example) + # default Content-Type for arrays is based on the items subschema type, which + # is an object, producing a default of `application/json` type: array items: type: object @@ -1704,17 +1707,18 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). -The default values for `contentType` are as follows, where an _n/a_ in the `format` column means that the presence or value of `format` is irrelevant: +The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: -Property `type` | Property `format` | Default `contentType` -------------- | --------------- | --------------------- -`string` | `binary` | `application/octet-stream` -`string` | _none, or any except `binary`_ | `text/plain` +Property `type` | Property `contentEncoding` | Default `contentType` +--------------- | -------------------------- | --------------------- +_absent_ | _n/a_ | `application/octet-stream` +`string` | _present_ | `application/octet-stream` +`string` | _absent_ | `text/plain` `number`, `integer`, or `boolean` | _n/a_ | `text/plain` `object` | _n/a_ | `application/json` -`array` | _n/a_ | according to the `type` and `format` of the `items` schema +`array` | _n/a_ | according to the `type` of the `items` schema -Determining how to handle `null` values if `nullable: true` is present depends on how `null` values are being serialized. +Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. If `null` values are entirely omitted, then the `contentType` is irrelevant. See [Appendix B](#dataTypeConversion) for a discussion of data type conversion options. @@ -1743,8 +1747,8 @@ It is not currently possible to correlate schema properties with unnamed, ordere Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -Using `format: byte` for a multipart field is equivalent to setting `Content-Transfer-Encoding: base64`. -If `format: byte` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. +Using `contentEncoding` is equivalent to setting `Content-Transfer-Encoding` to the same value. +If `contentEncoding` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. ##### Encoding Object Example @@ -4025,7 +4029,7 @@ To control the serialization of numbers, booleans, and `null` (or other values R The resulting strings would not require any further type conversion. The `format` keyword can assist in serialization. -Some formats (such as `date-time` or `byte`) are unambiguous, while others (such as [`decimal`](https://spec.openapis.org/registry/format/decimal.html) in the [Format Registry](https://spec.openapis.org/registry/format/)) are less clear. +Some formats (such as `date-time`) are unambiguous, while others (such as [`decimal`](https://spec.openapis.org/registry/format/decimal.html) in the [Format Registry](https://spec.openapis.org/registry/format/)) are less clear. However, care must be taken with `format` to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored. Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types. @@ -4278,8 +4282,9 @@ This will expand to the result: RFC6570's percent-encoding behavior is not always appropriate for `in: header` and `in: cookie` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. -For both cookies ([RFC6265](https://www.rfc-editor.org/rfc/rfc6265)) and HTTP headers using the structured fields ([RFC8941](https://www.rfc-editor.org/rfc/rfc8941)) syntax, non-ASCII content is handled using base64 encoding (`format: byte`). +For both cookies ([RFC6265](https://www.rfc-editor.org/rfc/rfc6265)) and HTTP headers using the structured fields ([RFC8941](https://www.rfc-editor.org/rfc/rfc8941)) syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: base64`). Note that the standard base64 encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. +While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP field (header or trailer) parameters, these parameters appear after a `;` character. From f34e1be4ae03785d544b513a25ebf18c66215d30 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 20 Jun 2024 07:39:14 -0700 Subject: [PATCH 40/61] Fix version of JSON Schema cited in change ported from 3.0.4 Co-authored-by: Ralf Handl --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index e55b2720ac..db437541cd 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -151,7 +151,7 @@ Patterned fields MUST have unique names within the containing object. In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with some additional constraints: -- Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [JSON Schema](https://tools.ietf.org/html/draft-wright-json-schema-00). +- Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [JSON Schema](https://tools.ietf.org/html/draft-bhutton-json-schema-00). - Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). **Note:** While APIs may be defined by OpenAPI documents in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. From fbc7c1c03d2cd6578727cf237b899ec041e0e021 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 20 Jun 2024 07:41:43 -0700 Subject: [PATCH 41/61] Fix mention of versions in ported text from 3.0.4 Co-authored-by: Ralf Handl --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index db437541cd..c744196727 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -3336,7 +3336,7 @@ This object MAY be extended with [Specification Extensions](#specificationExtens The `namespace` keyword is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: -* Version 3.0.3 and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. +* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. * XML allows but discourages relative URI-references, while this specification outright forbids them. * XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. From 7764db7caa676390b5d8ebbc8f96379e2c85c42b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 13 Jun 2024 13:22:21 -0700 Subject: [PATCH 42/61] Use document/description/definition consistently (3.2.0 port of 3908) This tries to be consistent about using "describe" rather than "define" and using "description" for the entire potentially-multi-document thing, and "document" (or sometimes "description document") to refer to individual documents in the description. --- versions/3.2.0.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index c744196727..f1bbc39f07 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -10,7 +10,7 @@ This document is licensed under [The Apache License, Version 2.0](https://www.ap The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. -An OpenAPI definition can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. +An OpenAPI description can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. For examples of OpenAPI usage and additional documentation, please visit [learn.openapis.org](https://learn.openapis.org/). @@ -129,11 +129,11 @@ The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versionin Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. -An OpenAPI document compatible with OAS 3.\*.\* contains a required [`openapi`](#oasVersion) field which designates the version of the OAS that it uses. +An OpenAPI description document compatible with OAS 3.\*.\* contains a required [`openapi`](#oasVersion) field which designates the version of the OAS that it uses. ### Format -An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. +An OpenAPI description document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. For example, if a field has an array value, the JSON array representation will be used: @@ -154,7 +154,7 @@ In order to preserve the ability to round-trip between YAML and JSON formats, YA - Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [JSON Schema](https://tools.ietf.org/html/draft-bhutton-json-schema-00). - Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). -**Note:** While APIs may be defined by OpenAPI documents in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. +**Note:** While APIs may be described by OpenAPI documents in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. ### Document Structure @@ -2298,7 +2298,7 @@ For computing links, and providing instructions to execute them, a [runtime expr Field Name | Type | Description ---|:---:|--- -operationRef | `string` | A relative or absolute URI reference to an OAS operation. This field is mutually exclusive of the `operationId` field, and MUST point to an [Operation Object](#operationObject). Relative `operationRef` values MAY be used to locate an existing [Operation Object](#operationObject) in the OpenAPI definition. See the rules for resolving [Relative References](#relativeReferencesURI). +operationRef | `string` | A URI identifying an OAS operation. This field is mutually exclusive of the `operationId` field, and MUST point to an [Operation Object](#operationObject). Relative `operationRef` values MAY be used to locate an existing [Operation Object](#operationObject) in the OpenAPI description. See the rules for resolving [Relative References](#relativeReferencesURI). operationId | `string` | The name of an _existing_, resolvable OAS operation, as defined with a unique `operationId`. This field is mutually exclusive of the `operationRef` field. parameters | Map[`string`, Any \| [{expression}](#runtimeExpression)] | A map representing parameters to pass to an operation as specified with `operationId` or identified via `operationRef`. The key is the parameter name to be used (optionally qualified with the parameter location, e.g. `path.id` for an `id` parameter in the path), whereas the value can be a constant or an expression to be evaluated and passed to the linked operation. requestBody | Any \| [{expression}](#runtimeExpression) | A literal value or [{expression}](#runtimeExpression) to use as a request body when calling the target operation. @@ -2308,9 +2308,9 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). A linked operation MUST be identified using either an `operationRef` or `operationId`. -In the case of an `operationId`, it MUST be unique and resolved in the scope of the OAS document. +In the case of an `operationId`, it MUST be unique and resolved in the scope of the OpenAPI description. Because of the potential for name clashes, the `operationRef` syntax is preferred -for OpenAPI documents with external references. +for multi-document OpenAPI descriptions. Note that it is not possible to provide a constant value to `parameters` that matches the syntax of a runtime expression. It is possible to have ambiguous parameter names, e.g. `name: id, in: path` and `name: path.id, in: query`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query paramter). @@ -3222,7 +3222,7 @@ MyResponseType: propertyName: petType ``` -The expectation now is that a property with name `petType` _MUST_ be present in the response payload, and the value will correspond to the name of a schema defined in the OAS document. Thus the response payload: +The expectation now is that a property with name `petType` _MUST_ be present in the response payload, and the value will correspond to the name of a schema defined in the OpenAPI description. Thus the response payload: ```json { @@ -3964,7 +3964,7 @@ Two examples of this: ### OpenAPI Document Formats -OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their security considerations: +OpenAPI description documents use JSON, YAML, and JSON Schema, and therefore share their security considerations: - [JSON](https://www.iana.org/assignments/media-types/application/json) - [YAML](https://www.iana.org/assignments/media-types/application/yaml) - [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) @@ -3972,15 +3972,15 @@ OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their sec ### Tooling and Usage Scenarios -In addition, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. +In addition, OpenAPI description documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI description authors must consider the risks of the scenarios where the OpenAPI description may be used. ### Security Schemes -An OpenAPI document describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. +An OpenAPI description describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. ### Handling External Resources -OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. +OpenAPI description documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents within a multi-document OpenAPI description, may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. ### Markdown and HTML Sanitization From e01bbe38ed7c3c59212d3dbb13f3e1d8ae862b78 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 20 Jun 2024 14:52:07 +0200 Subject: [PATCH 43/61] Fix typos (3.2.0 port of 3924) --- versions/3.2.0.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index f1bbc39f07..fe7097dcd1 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -291,7 +291,7 @@ Field Name | Type | Description termsOfService | `string` | A URL to the Terms of Service for the API. This MUST be in the form of a URL. contact | [Contact Object](#contactObject) | The contact information for the exposed API. license | [License Object](#licenseObject) | The license information for the exposed API. -version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oasVersion) or the version of API being described). +version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oasVersion) or the version of the API being described). This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -1691,7 +1691,7 @@ An `encoding` attribute is introduced to give you control over the serialization A single encoding definition applied to a single schema property. See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. -Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string paramter names. +Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. In both cases, their order is implementation-defined. See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. @@ -1726,7 +1726,7 @@ See [Appendix B](#dataTypeConversion) for a discussion of data type conversion o Field Name | Type | Description ---|:---:|--- -style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` using in query strings is not used in `applcation/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. @@ -2313,7 +2313,7 @@ Because of the potential for name clashes, the `operationRef` syntax is preferre for multi-document OpenAPI descriptions. Note that it is not possible to provide a constant value to `parameters` that matches the syntax of a runtime expression. -It is possible to have ambiguous parameter names, e.g. `name: id, in: path` and `name: path.id, in: query`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query paramter). +It is possible to have ambiguous parameter names, e.g. `name: id, in: path` and `name: path.id, in: query`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query parameter). ##### Examples From 2012b4a6555baccf539f629b387ca28f9b27c486 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 21 Jun 2024 08:36:42 -0700 Subject: [PATCH 44/61] Authoritative rendering; "schema" usage (3.2.0 port of 3927) This adds a note about the authoritative HTML rendering and adds a definition for "Schema" to explain the three ways the term is used in or with the specification. --- versions/3.2.0.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index fe7097dcd1..d2e0b2055b 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -14,7 +14,7 @@ An OpenAPI description can then be used by documentation generation tools to dis For examples of OpenAPI usage and additional documentation, please visit [learn.openapis.org](https://learn.openapis.org/). -For extension registries and other specifications published by the OpenAPI Initiative, please visit [spec.openapis.org](https://spec.openapis.org/) +For extension registries and other specifications published by the OpenAPI Initiative, as well as the authoritative rendering of this specification, please visit [spec.openapis.org](https://spec.openapis.org/). ## Table of Contents @@ -75,6 +75,12 @@ For extension registries and other specifications published by the OpenAPI Initi ##### OpenAPI Document A self-contained or composite resource which defines or describes an API or elements of an API. The OpenAPI document MUST contain at least one [paths](#pathsObject) field, a [components](#oasComponents) field or a [webhooks](#oasWebhooks) field. An OpenAPI document uses and conforms to the OpenAPI Specification. +##### Schema + +A "schema" is a formal description of syntax and structure. +This document serves as the [schema](#schema) for the OpenAPI Specification format; a non-authoritative JSON Schema based on this document is also provided on [spec.openapis.org](https://spec.openapis.org) for informational purposes. +This specification also _uses_ schemas in the form of the [Schema Object](#schemaObject). + ##### Path Templating Path templating refers to the usage of template expressions, delimited by curly braces ({}), to mark a section of a URL path as replaceable using path parameters. @@ -145,7 +151,7 @@ For example, if a field has an array value, the JSON array representation will b All field names in the specification are **case sensitive**. This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. -The schema exposes two types of fields: Fixed fields, which have a declared name, and Patterned fields, which declare a regex pattern for the field name. +The [schema](#schema) exposes two types of fields: Fixed fields, which have a declared name, and Patterned fields, which declare a regex pattern for the field name. Patterned fields MUST have unique names within the containing object. From 096982fa8731091a9d68080ef9bb08836339f04c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 20 Jun 2024 11:43:54 -0700 Subject: [PATCH 45/61] Start consolidating media / encoding guidance (3.2.0 port of 3923 1/7) This just moves (and occasionally copies) blocks of text and/or examples in preparation form more substantial streamlining. No modifications were made to any block. --- versions/3.2.0.md | 198 +++++++++++++++++++++++----------------------- 1 file changed, 101 insertions(+), 97 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index d2e0b2055b..b24ebc4513 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1463,6 +1463,8 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). +An `encoding` attribute is introduced to give you control over the serialization of parts of `multipart` request bodies. This attribute is _only_ applicable to request bodies, and _only_ for `multipart` and `application/x-www-form-urlencoded` media types. + ##### Media Type Examples ```json @@ -1570,21 +1572,60 @@ requestBody: To upload multiple files, a `multipart` media type MUST be used: -```yaml -requestBody: - content: - multipart/form-data: - schema: - properties: - # The property name 'file' will be used for all files. - file: - type: array - items: {} -``` +##### Support for x-www-form-urlencoded Request Bodies -As seen in the section on `multipart/form-data` below, the empty schema for `items` indicates a media type of `application/octet-stream`. +##### Special Considerations for `multipart` Content -##### Support for x-www-form-urlencoded Request Bodies +#### Encoding Object + +A single encoding definition applied to a single schema property. +See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. + +Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. +In both cases, their order is implementation-defined. + +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. + +###### Common Fixed Fields + +These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. + +Field Name | Type | Description +---|:---:|--- +contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. +headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. + +This object MAY be extended with [Specification Extensions](#specificationExtensions). + +The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: + +Property `type` | Property `contentEncoding` | Default `contentType` +--------------- | -------------------------- | --------------------- +_absent_ | _n/a_ | `application/octet-stream` +`string` | _present_ | `application/octet-stream` +`string` | _absent_ | `text/plain` +`number`, `integer`, or `boolean` | _n/a_ | `text/plain` +`object` | _n/a_ | `application/json` +`array` | _n/a_ | according to the `type` of the `items` schema + +Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. +If `null` values are entirely omitted, then the `contentType` is irrelevant. +See [Appendix B](#dataTypeConversion) for a discussion of data type conversion options. + +##### Fixed Fields for RFC6570-style Serialization + +Field Name | Type | Description +---|:---:|--- +style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. +allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. + +See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. + +Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: query` Parameter Objects. +The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. + +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), the following definition may be used: @@ -1635,9 +1676,28 @@ Here is the `id` parameter (without `address`) serialized as `application/json` id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ``` -See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. +`application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: -##### Special Considerations for `multipart` Content +```YAML +requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + type: string + icon: + # default for type string is text/plain, need to declare + # the appropriate contentType in the Encoding Object + type: string + contentEncoding: base64url + encoding: + icon: + contentType: image/png, image/jpeg +``` + +###### Encoding `multipart` Media Types It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. @@ -1653,6 +1713,23 @@ Per the JSON Schema specification, `contentMediaType` without `contentEncoding` Note that only `multipart/*` media types with named parts can be described as shown here. Note also that while `multipart/form-data` originally defined a per-part `Content-Transfer-Encoding` header that could indicate base64 encoding (`contentEncoding: base64`), it has been deprecated for use with HTTP as of [RFC7578](https://www.rfc-editor.org/rfc/rfc7578#section-4.7). +The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). +Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +See [RFC7578 §5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +Various other `multipart` types, most notable `multipart/mixed` ([RFC2046 §5.1.3](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. +It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. + +Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). + +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. +Using `contentEncoding` is equivalent to setting `Content-Transfer-Encoding` to the same value. +If `contentEncoding` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. + +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. + +##### Encoding Object Example + Examples: ```yaml @@ -1690,74 +1767,6 @@ requestBody: $ref: '#/components/schemas/Address' ``` -An `encoding` attribute is introduced to give you control over the serialization of parts of `multipart` request bodies. This attribute is _only_ applicable to request bodies, and _only_ for `multipart` and `application/x-www-form-urlencoded` media types. - -#### Encoding Object - -A single encoding definition applied to a single schema property. -See [Appendix B](#dataTypeConversion) for a discussion of converting values of various types to string representations. - -Properties are correlated with `multipart` parts using the `name` parameter to `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. -In both cases, their order is implementation-defined. - -See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. - -###### Common Fixed Fields - -These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. - -Field Name | Type | Description ----|:---:|--- -contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. -headers | Map[`string`, [Header Object](#headerObject) \| [Reference Object](#referenceObject)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a `multipart`. - -This object MAY be extended with [Specification Extensions](#specificationExtensions). - -The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: - -Property `type` | Property `contentEncoding` | Default `contentType` ---------------- | -------------------------- | --------------------- -_absent_ | _n/a_ | `application/octet-stream` -`string` | _present_ | `application/octet-stream` -`string` | _absent_ | `text/plain` -`number`, `integer`, or `boolean` | _n/a_ | `text/plain` -`object` | _n/a_ | `application/json` -`array` | _n/a_ | according to the `type` of the `items` schema - -Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. -If `null` values are entirely omitted, then the `contentType` is irrelevant. -See [Appendix B](#dataTypeConversion) for a discussion of data type conversion options. - -##### Fixed Fields for RFC6570-style Serialization - -Field Name | Type | Description ----|:---:|--- -style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameterObject) for details on the [`style`](#parameterStyle) property. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When [`style`](#encodingStyle) is `form`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. -allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#autoid-20), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#autoid-13), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#autoid-24) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#usingRFC6570Implementations) and [E](#percentEncodingAndFormMediaTypes) for details. The default value is `false`. This property SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encodingContentType) (implicit or explicit) SHALL be ignored. - -See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. - -Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: query` Parameter Objects. -The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. - -###### Encoding `multipart` Media Types - -The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). -Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -See [RFC7578 §5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. - -Various other `multipart` types, most notable `multipart/mixed` ([RFC2046 §5.1.3](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. -It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. - -Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). - -Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -Using `contentEncoding` is equivalent to setting `Content-Transfer-Encoding` to the same value. -If `contentEncoding` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. - -##### Encoding Object Example - `multipart/form-data` allows for binary parts: ```yaml @@ -1795,27 +1804,22 @@ requestBody: type: integer ``` -`application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: +To upload multiple files, a `multipart` media type MUST be used: -```YAML +```yaml requestBody: content: - application/x-www-form-urlencoded: + multipart/form-data: schema: - type: object properties: - name: - type: string - icon: - # default for type string is text/plain, need to declare - # the appropriate contentType in the Encoding Object - type: string - contentEncoding: base64url - encoding: - icon: - contentType: image/png, image/jpeg + # The property name 'file' will be used for all files. + file: + type: array + items: {} ``` +As seen in the section on `multipart/form-data` below, the empty schema for `items` indicates a media type of `application/octet-stream`. + #### Responses Object A container for the expected responses of an operation. From 80f61a83d2aa6de68c6f7cb9031d99fe7832998b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 19 Jun 2024 16:39:45 -0700 Subject: [PATCH 46/61] Add section titles, fix levels (3.2.0 port of 3923 2/7) Make the Parameter, Encoding, and Header Object fixed fields section organization the same in all three places, with the same levels of indentation. Add more headings under the Encoding Object for guidance on each form media type, and sub-headings for each example in each of those sections. This will make the diff for the next commit much more legible. --- versions/3.2.0.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index b24ebc4513..b6ce5275bc 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1586,6 +1586,8 @@ In both cases, their order is implementation-defined. See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. +##### Fixed Fields + ###### Common Fixed Fields These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. @@ -1612,7 +1614,7 @@ Determining how to handle a `type` value of `null` depends on how `null` values If `null` values are entirely omitted, then the `contentType` is irrelevant. See [Appendix B](#dataTypeConversion) for a discussion of data type conversion options. -##### Fixed Fields for RFC6570-style Serialization +###### Fixed Fields for RFC6570-style Serialization Field Name | Type | Description ---|:---:|--- @@ -1625,11 +1627,15 @@ See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementation Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: query` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. +##### Encoding the `x-www-form-urlencoded` Media Type + See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), the following definition may be used: +###### Example: URL Encoded Form with JSON Values + ```yaml requestBody: content: @@ -1676,6 +1682,8 @@ Here is the `id` parameter (without `address`) serialized as `application/json` id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ``` +###### Example: URL Encoded Form with Binary Values + `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: ```YAML @@ -1697,7 +1705,7 @@ requestBody: contentType: image/png, image/jpeg ``` -###### Encoding `multipart` Media Types +##### Encoding `multipart` Media Types It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. @@ -1728,7 +1736,7 @@ If `contentEncoding` is used along with setting a different `Content-Transfer-En See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. -##### Encoding Object Example +###### Example: Basic Multipart Form Examples: @@ -1767,6 +1775,8 @@ requestBody: $ref: '#/components/schemas/Address' ``` +###### Example: Multipart Form with Encoding Objects + `multipart/form-data` allows for binary parts: ```yaml @@ -1804,6 +1814,8 @@ requestBody: type: integer ``` +###### Example: Multipart Form with Multiple Files + To upload multiple files, a `multipart` media type MUST be used: ```yaml @@ -2479,7 +2491,9 @@ The Header Object follows the structure of the [Parameter Object](#parameterObje 1. `in` MUST NOT be specified, it is implicitly in `header`. 1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameterStyle)). This means that `allowEmptyValue` and `allowReserved` MUST NOT be used, and `style`, if used, MUST be limited to `simple`. -##### Common Fixed Fields +##### Fixed Fields + +###### Common Fixed Fields These fields MAY be used with either `content` or `schema`. @@ -2491,7 +2505,7 @@ Field Name | Type | Description This object MAY be extended with [Specification Extensions](#specificationExtensions). -##### Fixed Fields for use with `schema` +###### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#headerSchema) and [`style`](#headerStyle) can describe the structure and syntax of the header. When `example` or `examples` are provided in conjunction with the `schema` object, the example MUST follow the prescribed serialization strategy for the header. @@ -2511,7 +2525,7 @@ Field Name | Type | Description See also [Appendix C: Using RFC6570 Implementations](#usingRFC6570Implementations) for additional guidance. -##### Fixed Fields for use with `content` +###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#headerContent) property can define the media type and schema of the header, as well as give examples of its use. Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. From 68ab6ea0c726072d764d726a9acd18b4abfcbfdf Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 19 Jun 2024 16:46:41 -0700 Subject: [PATCH 47/61] Consolidating form guidance: Media Type Object (3.2.0 port of 3923 3/7) This puts the useful part of the "An encoding attribute..." text into the fixed fields table, and removes the duplication. It also links the remaining stub or truncated sections to the information's new location under the Encoding Object. --- versions/3.2.0.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index b6ce5275bc..372b2afc0a 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1456,15 +1456,13 @@ See [Working With Examples](#working-with-examples) for further guidance regardi ##### Fixed Fields Field Name | Type | Description ---|:---:|--- -schema | [Schema Object](#schemaObject) | The schema defining the content of the request, response, or parameter. +schema | [Schema Object](#schemaObject) | The schema defining the content of the request, response, parameter, or header. example | Any | Example of the media type; see [Working With Examples](#working-with-examples). examples | Map[ `string`, [Example Object](#exampleObject) \| [Reference Object](#referenceObject)] | Examples of the media type; see [Working With Examples](#working-with-examples). -encoding | Map[`string`, [Encoding Object](#encodingObject)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The encoding attribute SHALL only apply to [Request Body Objects](#requestBodyObject), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. +encoding | Map[`string`, [Encoding Object](#encodingObject)] | A map between a property name and information providing more control over the serialization of the value. The key, being the property name, MUST exist in the schema as a property. The encoding attribute SHALL only apply to [Request Body Objects](#requestBodyObject), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This object MAY be extended with [Specification Extensions](#specificationExtensions). -An `encoding` attribute is introduced to give you control over the serialization of parts of `multipart` request bodies. This attribute is _only_ applicable to request bodies, and _only_ for `multipart` and `application/x-www-form-urlencoded` media types. - ##### Media Type Examples ```json @@ -1570,12 +1568,16 @@ requestBody: image/png: {} ``` -To upload multiple files, a `multipart` media type MUST be used: +To upload multiple files, a `multipart` media type MUST be used as shown under [Example: Multipart Form with Multiple Files](#example-multipart-form-with-multiple-files). ##### Support for x-www-form-urlencoded Request Bodies +See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` attribute. + ##### Special Considerations for `multipart` Content +See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` attribute. + #### Encoding Object A single encoding definition applied to a single schema property. From 9410558ed5ccdf86a97d7b9f5b3e78d7807d4f91 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 19 Jun 2024 17:24:52 -0700 Subject: [PATCH 48/61] Re-organize form-urlencoded guidance (3.2.0 port of 3923 4/7) This re-organizes and streamlines the form-urlencoded guidance that was consolidated from the Media Type Object. It also adds an example of a base64-encoded URL query parameter. --- versions/3.2.0.md | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 372b2afc0a..045aecae7b 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1631,13 +1631,15 @@ The absence of all three of those fields is the equivalent of using `content`, b ##### Encoding the `x-www-form-urlencoded` Media Type -See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. +To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#mediaTypeObject) under the [Request Body Object](#requestBodyObject). +This configuration means that the request body MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. -To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), the following -definition may be used: +See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. ###### Example: URL Encoded Form with JSON Values +When there is no [`encoding` field](#mediaTypeEncoding), the serialization strategy is based on the Encoding Object's default values: + ```yaml requestBody: content: @@ -1654,11 +1656,7 @@ requestBody: properties: {} ``` -In this example, the contents in the `requestBody` MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server. In addition, the `address` field complex object will be serialized to a string representation prior to encoding. - -When passing complex objects in the `application/x-www-form-urlencoded` content type, the default serialization strategy of such properties is described in the [Encoding Object](#encodingObject)'s [`style`](#encodingStyle) property as `form`. - -With this example, given an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` and a US-style address (with ZIP+4) as follows: +With this example, consider an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` and a US-style address (with ZIP+4) as follows: ```json { @@ -1686,7 +1684,7 @@ id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ###### Example: URL Encoded Form with Binary Values -`application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: +Note that `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: ```YAML requestBody: @@ -1698,8 +1696,8 @@ requestBody: name: type: string icon: - # default for type string is text/plain, need to declare - # the appropriate contentType in the Encoding Object + # The default with "contentEncoding" is application/octet-stream, + # so we need to set image media type(s) in the Encoding Object. type: string contentEncoding: base64url encoding: @@ -1707,6 +1705,13 @@ requestBody: contentType: image/png, image/jpeg ``` +Given a name of `example` and a solid red 2x2-pixel PNG for `icon`, this +would produce a request body of: + +```urlencoded +name=example&icon=iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAYAAABytg0kAAAAEklEQVQIW2P8z8AARAwMjDAGACwBA/+8RVWvAAAAAElFTk +``` + ##### Encoding `multipart` Media Types It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. From 2db5ed791ec2fe9020bdd9da1d8da1dbef3e5cb0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 20 Jun 2024 12:31:07 -0700 Subject: [PATCH 49/61] Fix base64 encoding example for URL quoting (3.2.0 port of 2923 5/7) I forgot to run the example through URL quoting, which is necessary. --- versions/3.2.0.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 045aecae7b..3585fa352b 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1709,9 +1709,13 @@ Given a name of `example` and a solid red 2x2-pixel PNG for `icon`, this would produce a request body of: ```urlencoded -name=example&icon=iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAYAAABytg0kAAAAEklEQVQIW2P8z8AARAwMjDAGACwBA/+8RVWvAAAAAElFTk +name=example&icon=iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAIAAAD91JpzAAAABGdBTUEAALGPC_xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAqADAAQAAAABAAAAAgAAAADO0J6QAAAAEElEQVQIHWP8zwACTGCSAQANHQEDqtPptQAAAABJRU5ErkJggg%3D%3D ``` +Note that the `=` padding characters at the end need to be percent-encoded, even with the "URL safe" `contentEncoding: base64url`. +Some base64-decoding implementations may be able to use the string without the padding per [RFC4648 §3.2](https://datatracker.ietf.org/doc/html/rfc4648#section-3.2). +However, this is not guaranteed, so it may be more interoperable to keep the padding and rely on percent-decoding. + ##### Encoding `multipart` Media Types It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. From 50b863e9c4ae6fa16eae5a59deff43f03203e28a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 19 Jun 2024 17:25:44 -0700 Subject: [PATCH 50/61] Reorganize multipart/form-data guidance (3.2.0 port of 3923 6/7, 3929) This organizes and streamlines the guidance on multipart that was incorporated from the Media Type Object. Lots of duplication has been removed, and the examples reworked to show distinct use cases. --- versions/3.2.0.md | 81 ++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 47 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 3585fa352b..432328e239 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1718,19 +1718,7 @@ However, this is not guaranteed, so it may be more interoperable to keep the pad ##### Encoding `multipart` Media Types -It is common to use `multipart/form-data` as a `Content-Type` when transferring request bodies to operations. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. - -In a `multipart/form-data` request body, each schema property, or each element of a schema array property, takes a section in the payload with an internal header as defined by [RFC7578](https://tools.ietf.org/html/rfc7578). The serialization strategy for each property of a `multipart/form-data` request body can be specified in an associated [`Encoding Object`](#encodingObject). - -When passing in `multipart` types, boundaries MAY be used to separate sections of the content being transferred – thus, the following default `Content-Type`s are defined for `multipart`: - -* If the property is a primitive, or an array of primitive values, the default Content-Type is `text/plain` -* If the property is complex, or an array of complex values, the default Content-Type is `application/json` -* If the property is a `type: string` with a `contentEncoding`, the default Content-Type is `application/octet-stream` - -Per the JSON Schema specification, `contentMediaType` without `contentEncoding` present is treated as if `contentEncoding: identity` were present. While useful for embedding text documents such as `text/html` into JSON strings, it is not useful for a `multipart/form-data` part, as it just causes the document to be treated as `text/plain` instead of its actual media type. Use the Encoding Object without `contentMediaType` if no `contentEncoding` is required. - -Note that only `multipart/*` media types with named parts can be described as shown here. Note also that while `multipart/form-data` originally defined a per-part `Content-Transfer-Encoding` header that could indicate base64 encoding (`contentEncoding: base64`), it has been deprecated for use with HTTP as of [RFC7578](https://www.rfc-editor.org/rfc/rfc7578#section-4.7). +It is common to use `multipart/form-data` as a `Content-Type` when transferring forms as request bodies. In contrast to 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578 §4.2](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578 §4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. @@ -1742,14 +1730,18 @@ It is not currently possible to correlate schema properties with unnamed, ordere Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046 §5.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578 §4.8](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578 §4.7](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -Using `contentEncoding` is equivalent to setting `Content-Transfer-Encoding` to the same value. -If `contentEncoding` is used along with setting a different `Content-Transfer-Encoding` value with the `headers` field, the result is undefined. + ++Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encodingObject) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. ++If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. + +Note that as stated in [Working with Binary Data](#binaryData), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. +Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's` contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. See [Appendix E](#percentEncodingAndFormMediaTypes) for a detailed examination of percent-encoding concerns for form media types. ###### Example: Basic Multipart Form -Examples: +When the `encoding` attribute is _not_ used, the encoding is determined by the Encoding Object's defaults: ```yaml requestBody: @@ -1759,27 +1751,16 @@ requestBody: type: object properties: id: + # default for primitives without a special format is text/plain type: string format: uuid - address: - # default Content-Type for objects is `application/json` - type: object - properties: {} profileImage: - # default Content-Type for properties with type string and a contentEncoding - # is `application/octet-stream`, so `image/png` must be set using contentMediaType + # default for string with binary format is `application/octet-stream` type: string - contentMediaType: image/png - contentEncoding: base64 - children: - # default Content-Type for arrays is based on the items subschema type, which - # is a string, producing a default of `text/plain` - type: array - items: - type: string + format: binary addresses: - # default Content-Type for arrays is based on the items subschema type, which - # is an object, producing a default of `application/json` + # default for arrays is based on the type in the `items` + # subschema, which is an object, so `application/json` type: array items: type: object @@ -1788,7 +1769,8 @@ requestBody: ###### Example: Multipart Form with Encoding Objects -`multipart/form-data` allows for binary parts: +Using `encoding`, we can set more specific types for binary data, or non-JSON formats for complex values. +We can also describe headers for each part: ```yaml requestBody: @@ -1798,25 +1780,30 @@ requestBody: type: object properties: id: - # default is text/plain + # default is `text/plain` type: string format: uuid - address: - # default is application/json - type: object - properties: {} - historyMetadata: - # need to declare XML format! - description: metadata in XML format - type: object - properties: {} - profileImage: {} + addresses: + # default based on the `items` subschema would be + # `application/json`, but we want these address objects + # serialized as `application/xml` instead + description: addresses in XML format + type: array + items: + $ref: '#/components/schemas/Address' + profileImage: + # default is application/octet-stream, but we can declare + # a more specific image type or types + type: string + format: binary encoding: - historyMetadata: + addresses: # require XML Content-Type in utf-8 encoding + # This is applied to each address part corresponding + # to each address in he array contentType: application/xml; charset=utf-8 profileImage: - # only accept png/jpeg + # only accept png or jpeg contentType: image/png, image/jpeg headers: X-Rate-Limit-Limit: @@ -1827,7 +1814,7 @@ requestBody: ###### Example: Multipart Form with Multiple Files -To upload multiple files, a `multipart` media type MUST be used: +In accordance with [RFC7578 §4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3), multiple files for a single form field are uploaded using the same name (`file` in this example) for each file's part: ```yaml requestBody: From cba6e5fa8fd214cfd1c1f819e8c850ae3533adf9 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 9 Jul 2024 15:05:10 -0700 Subject: [PATCH 51/61] Review feedback clarifications- binary encoding (3.2.0 port of 3923 7/7) --- versions/3.2.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 432328e239..057c974206 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1605,7 +1605,7 @@ The default values for `contentType` are as follows, where an _n/a_ in the `cont Property `type` | Property `contentEncoding` | Default `contentType` --------------- | -------------------------- | --------------------- -_absent_ | _n/a_ | `application/octet-stream` +[_absent_](#binaryData) | _n/a_ | `application/octet-stream` `string` | _present_ | `application/octet-stream` `string` | _absent_ | `text/plain` `number`, `integer`, or `boolean` | _n/a_ | `text/plain` @@ -1828,7 +1828,7 @@ requestBody: items: {} ``` -As seen in the section on `multipart/form-data` below, the empty schema for `items` indicates a media type of `application/octet-stream`. +As seen in the [Encoding Object's `contentType` field documentation](#encodingContentType), the empty schema for `items` indicates a media type of `application/octet-stream`. #### Responses Object From a52d0d37e67ae626262af663a8ab25807ddd91d8 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 20 Apr 2024 20:44:52 -0700 Subject: [PATCH 52/61] Limit interoperable parsing expectations (3.2.0 port of 3732 1/2) As discovered through the OASComply project, certain referencing scenarios are ambiguous, with different authorities holding contradictory interpretations regarding whether and how they are to be supported. As a result, it is impossible to define compliance, as all of the interpretations can be argued to be "correct" in some sense. This change excludes some particularly challenging scenarios from compliance testing by making their behavior explicitly implementation-defined. This has several benefits: * No current implementation is rendered non-compliant * No currently usable OAD is rendered invalid * New implementers need not put effort into handling these scenarios * User expectations are set to _not_ expect consistent behavior * Linters can write a rule to match these expectations * Everyone is guided towards straightforwad best practices --- versions/3.2.0.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 057c974206..415b94ffd5 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -164,10 +164,20 @@ In order to preserve the ability to round-trip between YAML and JSON formats, YA ### Document Structure -An OpenAPI document MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [`Reference Objects`](#referenceObject) and [`Schema Object`](#schemaObject) `$ref` keywords are used. +An OpenAPI Description (OAD) MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#referenceObject), [Path Item Object](#pathItemObject) and [Schema Object](#schemaObject) `$ref` keywords, as well as the [Link Object](#linkObject) `operationRef` keyword, are used. In a multi-document description, the document containing the [OpenAPI Object](#oasObject) is known as the **entry OpenAPI document.** It is RECOMMENDED that the root OpenAPI document be named: `openapi.json` or `openapi.yaml`. +#### Structural Interoperability + +When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such as [Operation Objects](#operationObject), [Response Objects](#responseObject), [Reference Objects](#referenceObject), etc.) based on the parsing context. Depending on how references are arranged, a given JSON or YAML object can be parsed in multiple different contexts: + +* As a full OpenAPI Description document (an [OpenAPI Object](#oasObject) taking up an entire document) +* As the Object type implied by its parent Object within the document +* As a reference target, with the Object type matching the reference source's context + +If the same JSON/YAML object is parsed multiple times contexts requiring it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. + #### Resolving Implicit Connections ### Data Types From dd08c9deb75f37241fb2a759e8abfb99d7ba5bb1 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 25 Apr 2024 07:48:56 -0700 Subject: [PATCH 53/61] Substantially better wording from review (3.2.0 port of 3732 2/2) Co-authored-by: Ralf Handl --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 415b94ffd5..39b44439bc 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -176,7 +176,7 @@ When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such * As the Object type implied by its parent Object within the document * As a reference target, with the Object type matching the reference source's context -If the same JSON/YAML object is parsed multiple times contexts requiring it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. +If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. #### Resolving Implicit Connections From 6301551564ee15f8d85fd86a9866023f9a38e950 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 26 Apr 2024 10:32:30 -0700 Subject: [PATCH 54/61] Clarify how Schema Objs require full-doc parsing (3.2.0 port of 3758) JSON Schema draft 2020-12 includes numerous keywords that require parsing the entire document prior to deeming a reference unresolvable. This makes that more clear and outlines several approaches. The practice of embedding OpenAPI fragments in other formats is deemed to have implementation-defined (non-interoperable) behavior, as the potential complications that might arise are not predictable. Also provide guidance around fragmentary parsing. This goes into more detail and uses "undefined" instead of "implementation-defined" as the behavior is likely to be incorrect (rather than just a different interpretationof an ambiguous requirement), and may result in security concerns as well. --- versions/3.2.0.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 39b44439bc..ea803131c8 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -168,6 +168,31 @@ An OpenAPI Description (OAD) MAY be made up of a single document or be divided i It is RECOMMENDED that the root OpenAPI document be named: `openapi.json` or `openapi.yaml`. +#### Parsing Documents + +In order to properly handle [Schema Objects](#schemaObject), OAS 3.1 inherits the parsing requirements of [JSON Schema draft 2020-12 §9](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relativeReferencesURI). + +This includes a requirement to parse complete documents before deeming a Schema object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. + +Implementations MAY support complete-document parsing in any of the following ways: + +* Detecting OpenAPI or JSON Schema documents using media types +* Detecting OpenAPI documents through the root `openapi` property +* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification +* Detecting a document containing a referenceable Object at its root based on the expected type of the reference +* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object + +Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. +In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. + +While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. +This specification does not explicitly enumerate the conditions under which such behavior is safe, and provides no guarantee for continued safety in any future versions of the OAS. + +A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. +Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. +It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. + #### Structural Interoperability When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such as [Operation Objects](#operationObject), [Response Objects](#responseObject), [Reference Objects](#referenceObject), etc.) based on the parsing context. Depending on how references are arranged, a given JSON or YAML object can be parsed in multiple different contexts: From 26d96e6116bb3ca06af3142ff065ec1d001a0842 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 19 May 2024 07:17:42 -0700 Subject: [PATCH 55/61] Clarify entry/complete document terminology (3.2.0 port of 3839) Clarifies that there can be multiple complete OpenAPI documents, only one of which is an entry OpenAPI document. --- versions/3.2.0.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index ea803131c8..31f8bcce27 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -164,7 +164,10 @@ In order to preserve the ability to round-trip between YAML and JSON formats, YA ### Document Structure -An OpenAPI Description (OAD) MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#referenceObject), [Path Item Object](#pathItemObject) and [Schema Object](#schemaObject) `$ref` keywords, as well as the [Link Object](#linkObject) `operationRef` keyword, are used. In a multi-document description, the document containing the [OpenAPI Object](#oasObject) is known as the **entry OpenAPI document.** +An OpenAPI Description (OAD) MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#referenceObject), [Path Item Object](#pathItemObject) and [Schema Object](#schemaObject) `$ref` keywords, as well as the [Link Object](#linkObject) `operationRef` keyword, are used. + +Any document consisting entirely of an OpenAPI Object is known as a **complete OpenAPI document**. +In a multi-document description, the document containing the [OpenAPI Object](#oasObject) where parsing begins for a specific API's description is known as that API's **entry OpenAPI document**, or simply **entry document**. It is RECOMMENDED that the root OpenAPI document be named: `openapi.json` or `openapi.yaml`. From e9a93a148ee4f632a33a2c99fae38725e2027fcc Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 21 May 2024 17:33:55 -0700 Subject: [PATCH 56/61] Clarify "URI" and "URL" usage (3.2.0 port of 3838) This clarifies that using the APIs involves URLs, while describing the API involves URIs. It ensures that all URIs involved in the API description are called "URIs", and briefly mentions how using URIs is different from URLs. --- versions/3.2.0.md | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 31f8bcce27..980942da2a 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -274,17 +274,26 @@ While the framing of CommonMark 0.27 as a minimum requirement means that tooling OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. -### Relative References in URIs +### Relative References in API Description URIs + +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as ***URIs***. +As noted under [Parsing Documents](#parsingDocuments), this specification inherits JSON Schema draft 2020-12's requirements for loading documents and associating them with their expected URIs, which might not match their current location. +This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. + +Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. Unless specified otherwise, all properties that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Relative references, including those in [`Reference Objects`](#referenceObject), [`PathItem Object`](#pathItemObject) `$ref` fields, [`Link Object`](#linkObject) `operationRef` fields and [`Example Object`](#exampleObject) `externalValue` fields, are resolved using the referring document as the Base URI according to [RFC3986](https://tools.ietf.org/html/rfc3986#section-5.2). +Relative references in [`Schema Objects`](#schemaObject), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.2). + +Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [RFC3986 §5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). +In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). -Relative references in [`Schema Objects`](#schemaObject), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.2). If no parent schema contains an `$id`, then the Base URI MUST be determined according to [RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1). +### Relative References in API URLs -### Relative References in URLs +API endpoints are by definition accessed as locations, and are described by this specification as ***URLs***. Unless specified otherwise, all properties that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). Unless specified otherwise, relative references are resolved using the URLs defined in the [`Server Object`](#serverObject) as a Base URL. Note that these themselves MAY be relative to the referring document. @@ -332,7 +341,7 @@ Field Name | Type | Description title | `string` | **REQUIRED**. The title of the API. summary | `string` | A short summary of the API. description | `string` | A description of the API. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. -termsOfService | `string` | A URL to the Terms of Service for the API. This MUST be in the form of a URL. +termsOfService | `string` | A URI for the Terms of Service for the API. This MUST be in the form of a URI. contact | [Contact Object](#contactObject) | The contact information for the exposed API. license | [License Object](#licenseObject) | The license information for the exposed API. version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oasVersion) or the version of the API being described). @@ -385,7 +394,7 @@ Contact information for the exposed API. Field Name | Type | Description ---|:---:|--- name | `string` | The identifying name of the contact person/organization. -url | `string` | The URL pointing to the contact information. This MUST be in the form of a URL. +url | `string` | The URI for to the contact information. This MUST be in the form of a URI. email | `string` | The email address of the contact person/organization. This MUST be in the form of an email address. This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -416,7 +425,7 @@ Field Name | Type | Description ---|:---:|--- name | `string` | **REQUIRED**. The license name used for the API. identifier | `string` | An [SPDX](https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60) license expression for the API. The `identifier` field is mutually exclusive of the `url` field. -url | `string` | A URL to the license used for the API. This MUST be in the form of a URL. The `url` field is mutually exclusive of the `identifier` field. +url | `string` | A URI for the license used for the API. This MUST be in the form of a URI. The `url` field is mutually exclusive of the `identifier` field. This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -1099,7 +1108,7 @@ Allows referencing an external resource for extended documentation. Field Name | Type | Description ---|:---:|--- description | `string` | A description of the target documentation. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. -url | `string` | **REQUIRED**. The URL for the target documentation. This MUST be in the form of a URL. +url | `string` | **REQUIRED**. The URI for the target documentation. This MUST be in the form of a URI. This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -2183,7 +2192,7 @@ Field Name | Type | Description summary | `string` | Short description for the example. description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally represented in JSON or YAML, use a string value to contain the example, escaping where necessary. -externalValue | `string` | A URI that points to the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The `value` field and `externalValue` field are mutually exclusive. See the rules for resolving [Relative References](#relativeReferencesURI). +externalValue | `string` | A URI that identifies the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The `value` field and `externalValue` field are mutually exclusive. See the rules for resolving [Relative References](#relativeReferencesURI). This object MAY be extended with [Specification Extensions](#specificationExtensions). @@ -2649,7 +2658,7 @@ description: Pets operations A simple object to allow referencing other components in the OpenAPI document, internally and externally. -The `$ref` string value contains a URI [RFC3986](https://tools.ietf.org/html/rfc3986), which identifies the location of the value being referenced. +The `$ref` string value contains a URI [RFC3986](https://tools.ietf.org/html/rfc3986), which identifies the value being referenced. See the rules for resolving [Relative References](#relativeReferencesURI). @@ -2705,7 +2714,7 @@ These types can be objects, but also primitives and arrays. This object is a sup For more information about the properties, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00). -Unless stated otherwise, the property definitions follow those of JSON Schema and do not add any additional semantics. +Unless stated otherwise, the property definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. ##### Properties From b72df122176a50afef5d91c48ff5a557bf0cb8ce Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 26 May 2024 13:29:35 -0700 Subject: [PATCH 57/61] Resolution of relative URLs in CommonMark text (3.2.0 port of 3892) Note that they are resolved in their rendered context. --- versions/3.2.0.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 980942da2a..ee3fa87aac 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -298,6 +298,8 @@ API endpoints are by definition accessed as locations, and are described by this Unless specified otherwise, all properties that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). Unless specified otherwise, relative references are resolved using the URLs defined in the [`Server Object`](#serverObject) as a Base URL. Note that these themselves MAY be relative to the referring document. +Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. + ### Schema This section describes the structure of the OpenAPI Description format. From c4e89e697ad9b3c3b36fde1c4137bb712c9ccb2a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 2 May 2024 11:34:58 -0700 Subject: [PATCH 58/61] Clarify resolving implicit connections (3.2.0 port of 3856 1/4) This clarifies how to handle resolving implicit (non-URI-based) connections in multi-document OpenAPI Descriptions. While the behavior is implementation-defined overall, this RECOMMENDS a single approach based on how things behaved going back to the 2.0 referencing model. This allows Security Schemes and Tags to (like the top-level Server Objects) define a deployment-specific interface for referenced documents to access. This entry document interface approach makes less sense for the Discriminator Object, but it can use the URI syntax of `mapping` to keep things within the local document. This also aligns the search for matching `operationId`s with 3.1's full-document parsing requirements. Note that the term "complete OpenAPI document" has been defined in another change pending approval on the 3.0.4 branch. --- versions/3.2.0.md | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index ee3fa87aac..763b0db3aa 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -200,7 +200,7 @@ It is the responsibility of an embedding format to define how to parse embedded When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such as [Operation Objects](#operationObject), [Response Objects](#responseObject), [Reference Objects](#referenceObject), etc.) based on the parsing context. Depending on how references are arranged, a given JSON or YAML object can be parsed in multiple different contexts: -* As a full OpenAPI Description document (an [OpenAPI Object](#oasObject) taking up an entire document) +* As a complete OpenAPI Description document * As the Object type implied by its parent Object within the document * As a reference target, with the Object type matching the reference source's context @@ -208,6 +208,38 @@ If the same JSON/YAML object is parsed multiple times and the respective context #### Resolving Implicit Connections +Several features of this specification require resolving a non-URI-based connection to some other part of the OpenAPI Description (OAD). + +These connections are easily resolved in single-document OADs, but the resolution process in multi-document OADs has never been spelled out, and is therefore _implementation-defined_, within the constraints described in this section. +In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: + +Source | Target | Alternative +------ | ------ | ----------- +[Security Requirement Object](#securityRequirementObject) `{name}` | [Security Scheme Object](#securitySchemeObject) name under the [Components Object](#componentsObject) | _n/a_ +[Discriminator Object](#discriminatorObject) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schemaObject) name under the Components Object | `mapping` _(explicit URI syntax)_ +[Operation Object](#operationObject) `tags` | [Tag Object](#tagObject) `name` (in the Components Object) | _n/a_ +[Link Object](#linkObject) `operationId` | [Path Item Object](#pathItemObject) `operationId` | `operationRef` + +A fifth implicit connection, which involves appending the templated URL paths of the [Paths Object](#pathsObject) to the appropriate [Server Object](#serverObject)'s `url` field, is unambiguous because only the entry document's Paths Object contributes URLs to the described API. + +It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. +This requires ensuring that all referenced documents have been parsed prior to determining an `operationId` to be unresolvable. + +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the property name holding the component in the appropriate typed sub-object of the Components Object. +For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. +The implicit connection of tags in the Operation Object use the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means that resolving component names and tag names both depend on starting from the correct OpenAPI Object. + +For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +This allows Security Scheme Objects and Tag Objects to be defined with the API's deployment information (the top-level Server Objects), and treated as an interface for referenced documents to access. + +The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. + +There currently are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. +These limitations are expected to be addressed in a future release. + +Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relativeReferencesURI), or restricts their possible targets. + ### Data Types Data types in the OAS are based on the types supported by the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-4.2.1). From 0b08dc1ff80b70e7a8183b15f163cce2f822ac71 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 8 Jun 2024 13:22:08 -0700 Subject: [PATCH 59/61] Apply suggestions from code review (3.2.0 port of 3856 2/4) Review feedback from Jeremy Fiel and typo fix from Ralf Handl. Co-authored-by: Jeremy Fiel <32110157+jeremyfiel@users.noreply.github.com> --- versions/3.2.0.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 763b0db3aa..2b0c3a3081 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -208,9 +208,9 @@ If the same JSON/YAML object is parsed multiple times and the respective context #### Resolving Implicit Connections -Several features of this specification require resolving a non-URI-based connection to some other part of the OpenAPI Description (OAD). +Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). -These connections are easily resolved in single-document OADs, but the resolution process in multi-document OADs has never been spelled out, and is therefore _implementation-defined_, within the constraints described in this section. +These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: Source | Target | Alternative @@ -220,22 +220,23 @@ Source | Target | Alternative [Operation Object](#operationObject) `tags` | [Tag Object](#tagObject) `name` (in the Components Object) | _n/a_ [Link Object](#linkObject) `operationId` | [Path Item Object](#pathItemObject) `operationId` | `operationRef` -A fifth implicit connection, which involves appending the templated URL paths of the [Paths Object](#pathsObject) to the appropriate [Server Object](#serverObject)'s `url` field, is unambiguous because only the entry document's Paths Object contributes URLs to the described API. +A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#pathsObject) to the appropriate [Server Object](#serverObject)'s `url` field. +This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. -This requires ensuring that all referenced documents have been parsed prior to determining an `operationId` to be unresolvable. +This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. -The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the property name holding the component in the appropriate typed sub-object of the Components Object. +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the property name holding the component in the appropriately typed sub-object of the Components Object. For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. -The implicit connection of tags in the Operation Object use the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. -This means that resolving component names and tag names both depend on starting from the correct OpenAPI Object. +The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. This allows Security Scheme Objects and Tag Objects to be defined with the API's deployment information (the top-level Server Objects), and treated as an interface for referenced documents to access. The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. -There currently are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. +There are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. These limitations are expected to be addressed in a future release. Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relativeReferencesURI), or restricts their possible targets. From 21b9ec5573f761d1079933b091c750de2b54b74f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 10 Jun 2024 17:01:29 -0700 Subject: [PATCH 60/61] Add example resolution of Security Requirement (3.2.0 port of 3856 3/4) Includes examples as either YAML or JSON via HTTP negotiation --- versions/3.2.0.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 2b0c3a3081..0dc8a82ed2 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -239,6 +239,9 @@ The interface approach can also work for Discriminator Objects and Schema Object There are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. These limitations are expected to be addressed in a future release. +See [Security Requirement in a Referenced Document](#security-requirement-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. +The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. + Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relativeReferencesURI), or restricts their possible targets. ### Data Types @@ -4035,6 +4038,102 @@ security: - read:pets ``` +###### Security Requirement in a Referenced Document + +See [Resolving Implicit Connections](#resolvingImplicitConnections) for more information. + +First, our entry document is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines on Path Item as a reference to a component in another document: + +```HTTP +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "bearer", + "bearerFormat": "JWT" + } + } +}, +"paths": { + "/foo": { + "$ref": "other#/components/pathItems/Foo" + } +} +``` + +```HTTP +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: bearer + bearerFormat: JWT +paths: + /foo: + $ref: "other#/components/pathItems/Foo" +``` + +Next, we have our referenced document, `other`, that we presumably request in the same format we requested for the entry document. But the fact that we don't use file extensions gives the client the flexibilty to choose on a resource-by-resource basis, assuming both representations are available: + +```HTTP +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "basic" + } + }, + "pathItems": { + "Foo": { + "get": { + "security": [ + "MySecurity": [] + ] + } + } + } +} +``` + +```HTTP +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: basic + pathItems: + Foo: + get: + security: + - MySecurity: [] +``` + +In this `other` document, the reference path item has a Security Requirement for the Security Scheme "MySecurity". But there is a Security Scheme by that name in the `other` document as well. As discussed in [Resolving Implicit Connections](#resolvingImplicitConnections), which "MySecurity" gets used is [implementation-defined](#undefinedAndImplementationDefinedBehavior). However, as also documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#documentStructure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. + ### Specification Extensions While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points. From 5be9dfca538599c58f9d35ec60a53ad4c48ec13b Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 12 Jun 2024 10:03:00 -0700 Subject: [PATCH 61/61] Apply suggestions from code review (3.2.0 port of 3856 4/4) Co-authored-by: Jeremy Fiel <32110157+jeremyfiel@users.noreply.github.com> --- versions/3.2.0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0dc8a82ed2..429bebe074 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -4042,7 +4042,7 @@ security: See [Resolving Implicit Connections](#resolvingImplicitConnections) for more information. -First, our entry document is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines on Path Item as a reference to a component in another document: +First, our entry document is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: ```HTTP GET /api/description/openapi HTTP/1.1 @@ -4085,7 +4085,7 @@ paths: $ref: "other#/components/pathItems/Foo" ``` -Next, we have our referenced document, `other`, that we presumably request in the same format we requested for the entry document. But the fact that we don't use file extensions gives the client the flexibilty to choose on a resource-by-resource basis, assuming both representations are available: +Next, we have our referenced document, `other`. The fact that we don't use file extensions gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: ```HTTP GET /api/description/other HTTP/1.1 @@ -4132,7 +4132,7 @@ components: - MySecurity: [] ``` -In this `other` document, the reference path item has a Security Requirement for the Security Scheme "MySecurity". But there is a Security Scheme by that name in the `other` document as well. As discussed in [Resolving Implicit Connections](#resolvingImplicitConnections), which "MySecurity" gets used is [implementation-defined](#undefinedAndImplementationDefinedBehavior). However, as also documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#documentStructure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. +In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolvingImplicitConnections), `MySecurity` is resolved with an [implementation-defined behavior](#undefinedAndImplementationDefinedBehavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#documentStructure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. ### Specification Extensions