Skip to content

Incorrect default value for OpenApiSecurityScheme.In when using "http" type with "bearer" scheme #1843

Description

@HavenDV

Describe the bug
When defining an OpenApiSecurityScheme of type http with the scheme bearer, the default value for In is set to Query instead of Header. According to the OpenAPI Specification, header should be the implied default when the type is http and the scheme is bearer.

OpenApi File To Reproduce

openapi: 3.0.0
info:
  title: Minimal API
  version: 1.0.0
paths:
  /example:
    get:
      summary: Example endpoint
      security:
        - Bearer: []
      responses:
        '200':
          description: Successful response
components:
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

Expected behavior
The default value for OpenApiSecurityScheme.In should be Header when the type is http and the scheme is bearer, aligning with the OpenAPI Specification’s default behavior.

Additional context
This issue causes incorrect behavior when generating clients or code based on the OpenAPI definition, as the security token is expected to be sent as a query parameter instead of the Authorization header.

Metadata

Metadata

Assignees

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions