x-6a-security
The security extension defines the values used to implement security schemes in the OpenAPI document. Because securitySchemes only define the shape of the security configuration, additional information is necessary when implementing authentication (such as client IDs, secrets, and other credentials). These values should most likely consist of variables and encrypted secrets instead of static content!
The x-6a-security extension is an object on the root-level document, with keys matching the defined securitySchemes in components. These keys map to value objects that are dependent on the type of authentication defined by the securityScheme.
| Authentication Type / Scheme | Supported Object Keys | Description |
|---|---|---|
| API Key | key |
Basic API Key. |
| HTTP Bearer | token |
HTTP Bearer token. |
| HTTP Basic | username, passwd |
Username and password for HTTP Basic Auth. |
| HTTP Digest | username, passwd, challenge |
Username, password, and optional challenge content for HTTP Digest Auth. |
| OAuth2 | client_id, client_secret, redirect_url, scopes |
Client ID, Client Secret, and Redirect URL known to your OAuth provider. Optional list of Scopes for access control limits (space delimited), if different from previous definitions. |
OAuth2 Authentication flow
If you’d like to use OAuth2 within the callosum app, you can set your redirect URL to https://oauth.callosum.dev/{security_scheme_name} and the page will use a client-side redirect to complete authentication for you. If your OAuth provider allows custom protocol URLs, you can use callosum://oauth/{security_scheme_name} to skip the web redirect.