From 780522c468da7d6185bc4ebfe793f3859e51297c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 21 Oct 2024 12:05:34 -0700 Subject: [PATCH 001/342] Start next release, bump version to 3.2.0 Also note that a table column applies to >= 3.1 instead of just 3.1, and add an entry in the release history table. --- src/oas.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index b2db701c19..0c1317fcbd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1,6 +1,6 @@ # OpenAPI Specification -## Version 3.1.1 +## Version 3.2.0 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP 14](https://tools.ietf.org/html/bcp14) [RFC2119](https://tools.ietf.org/html/rfc2119) [RFC8174](https://tools.ietf.org/html/rfc8174) when, and only when, they appear in all capitals, as shown here. @@ -265,7 +265,7 @@ The `maxLength` keyword MAY be used to set an expected upper bound on the length The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: -| OAS < 3.1 | OAS 3.1 | Comments | +| OAS < 3.1 | OAS >= 3.1 | Comments | | ---- | ---- | ---- | | type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | | type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | @@ -4116,6 +4116,7 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | +| 3.2.0 | TBD | Release of the OpenAPI Specification 3.2.0 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | From 0c1c63f4aca168047516811dd53407503f278741 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Thu, 11 Nov 2021 17:55:30 +0000 Subject: [PATCH 002/342] Let Security Schemes declare deprecation (#2532) --- src/oas.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/oas.md b/src/oas.md index 0c1317fcbd..c80ef29892 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3817,6 +3817,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | +| deprecated | `boolean` | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 9b341bfc0ab62ba926fcc6897c964fd051bd5ca5 Mon Sep 17 00:00:00 2001 From: MichiRecRoom <1008889+LikeLakers2@users.noreply.github.com> Date: Thu, 18 May 2023 12:10:54 -0400 Subject: [PATCH 003/342] Add Device Code authorization to the supported OAuth Flows (#2964) --- src/oas.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index c80ef29892..32c5397bee 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3802,7 +3802,7 @@ animals: Defines a security scheme that can be used by the operations. -Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), and [[OpenID-Connect-Core]]. +Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), OAuth2 device authorization flow as defined in [RFC8628](https://tools.ietf.org/html/rfc8628), and [[OpenID-Connect-Core]]. Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE. ##### Fixed Fields @@ -3922,6 +3922,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | +| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -3934,7 +3935,8 @@ Configuration details for a supported OAuth Flow | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | From 71765dbef9bf974f1c4c598afccc71e55ff5ebf2 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 18 Apr 2024 18:29:52 +0200 Subject: [PATCH 004/342] add oauth2MetadataUrl (#3694) * add oauth2MetadataUrl Signed-off-by: Axel Nennker * update anchor Signed-off-by: Axel Nennker --------- Signed-off-by: Axel Nennker --- src/oas.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/oas.md b/src/oas.md index 32c5397bee..1fe300cd80 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3817,6 +3817,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | +| oauth2MetadataUrl | `string` | `oauth2` | URL to the oauth2 authorization server metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). TLS is required. | | deprecated | `boolean` | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 09d271462afd32fe2d6a6c5584676638e111d4eb Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 25 Nov 2024 09:13:24 -0800 Subject: [PATCH 005/342] Security Scheme `deprecated` applies to Any type --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 1fe300cd80..a5d98bdd8b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3818,7 +3818,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | | oauth2MetadataUrl | `string` | `oauth2` | URL to the oauth2 authorization server metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). TLS is required. | -| deprecated | `boolean` | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | +| deprecated | `boolean` | Any | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 681dab76679285d28ca56dc63cdeb072de390fc3 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 5 Dec 2024 15:56:03 -0500 Subject: [PATCH 006/342] docs: adds draft abnf for path templating --- src/oas.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/oas.md b/src/oas.md index a5d98bdd8b..9a9f2c5833 100644 --- a/src/oas.md +++ b/src/oas.md @@ -44,6 +44,34 @@ Each template expression in the path MUST correspond to a path parameter that is The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). +The path templating expression is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax + +```abnf +; OpenAPI Path Templating ABNF syntax +path-template = path [ query-marker query ] [ fragment-marker fragment ] +path = slash *( path-segment slash ) [ path-segment ] +path-segment = 1*( path-literal / template-expression ) +query = *( query-literal ) +query-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" / "&" / "=" ) +query-marker = "?" +fragment = *( fragment-literal ) +fragment-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" ) +fragment-marker = "#" +slash = "/" +path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) +template-expression = "{" template-expression-param-name "}" +template-expression-param-name = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) + +; Characters definitions (from RFC 3986) +unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" +pct-encoded = "%" HEXDIG HEXDIG +sub-delims = "!" / "$" / "&" / "'" / "(" / ")" + / "*" / "+" / "," / ";" / "=" +ALPHA = %x41-5A / %x61-7A ; A-Z / a-z +DIGIT = %x30-39 ; 0-9 +HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" +``` + ### Media Types Media type definitions are spread across several resources. From 09f5c1ca91be240841295f1b31248e0cfa6b33ba Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 5 Dec 2024 16:04:34 -0500 Subject: [PATCH 007/342] fix: removes fragment part Signed-off-by: Vincent Biret --- src/oas.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9a9f2c5833..3da1d828fa 100644 --- a/src/oas.md +++ b/src/oas.md @@ -48,15 +48,12 @@ The path templating expression is defined by the following [ABNF](https://tools. ```abnf ; OpenAPI Path Templating ABNF syntax -path-template = path [ query-marker query ] [ fragment-marker fragment ] +path-template = path [ query-marker query ] path = slash *( path-segment slash ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) query = *( query-literal ) query-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" / "&" / "=" ) query-marker = "?" -fragment = *( fragment-literal ) -fragment-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" ) -fragment-marker = "#" slash = "/" path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) template-expression = "{" template-expression-param-name "}" From fb136768a939723415b3637f8817ec06c3468a7c Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 6 Dec 2024 08:02:31 -0500 Subject: [PATCH 008/342] Apply suggestions from code review Co-authored-by: Ralf Handl --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 3da1d828fa..6abaa6f8c4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -52,7 +52,7 @@ path-template = path [ query-marker query ] path = slash *( path-segment slash ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) query = *( query-literal ) -query-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" / "&" / "=" ) +query-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" ) query-marker = "?" slash = "/" path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) @@ -65,7 +65,7 @@ pct-encoded = "%" HEXDIG HEXDIG sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" ALPHA = %x41-5A / %x61-7A ; A-Z / a-z -DIGIT = %x30-39 ; 0-9 +DIGIT = %x30-39 ; 0-9 HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" ``` From b6d642f13bfa5ffad5084987f10d5659b393a530 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 6 Dec 2024 08:20:40 -0500 Subject: [PATCH 009/342] fix: removes query parameter Co-authored-by: Ralf Handl --- src/oas.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 6abaa6f8c4..c7f02beb48 100644 --- a/src/oas.md +++ b/src/oas.md @@ -48,12 +48,8 @@ The path templating expression is defined by the following [ABNF](https://tools. ```abnf ; OpenAPI Path Templating ABNF syntax -path-template = path [ query-marker query ] -path = slash *( path-segment slash ) [ path-segment ] +path-template = slash *( path-segment slash ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) -query = *( query-literal ) -query-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" / "/" / "?" ) -query-marker = "?" slash = "/" path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) template-expression = "{" template-expression-param-name "}" From fc576083e3b9a40fa7d2066d66ce7f26c1ba8983 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 16 Dec 2024 12:51:09 +0100 Subject: [PATCH 010/342] Apparent consensus --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c7f02beb48..04e0ac0d25 100644 --- a/src/oas.md +++ b/src/oas.md @@ -53,7 +53,7 @@ path-segment = 1*( path-literal / template-expression ) slash = "/" path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) +template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } ; Characters definitions (from RFC 3986) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" From 1da9fbbbce16ea22da73951fdefdd1d32c447664 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 16 Dec 2024 08:07:29 -0500 Subject: [PATCH 011/342] chore: adds pchar from RFC3986 Signed-off-by: Vincent Biret --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 04e0ac0d25..8941004f75 100644 --- a/src/oas.md +++ b/src/oas.md @@ -51,11 +51,12 @@ The path templating expression is defined by the following [ABNF](https://tools. path-template = slash *( path-segment slash ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) slash = "/" -path-literal = 1*( unreserved / pct-encoded / sub-delims / ":" / "@" ) +path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } ; Characters definitions (from RFC 3986) +pchar = unreserved / pct-encoded / sub-delims / ":" / "@" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" pct-encoded = "%" HEXDIG HEXDIG sub-delims = "!" / "$" / "&" / "'" / "(" / ")" From 566aee43c71a01b4b0845f21432f0063a608805a Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 16 Dec 2024 09:31:59 -0500 Subject: [PATCH 012/342] chore: makes slash terminal --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 8941004f75..36e1e147fd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -48,9 +48,8 @@ The path templating expression is defined by the following [ABNF](https://tools. ```abnf ; OpenAPI Path Templating ABNF syntax -path-template = slash *( path-segment slash ) [ path-segment ] +path-template = "/" *( path-segment "/" ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) -slash = "/" path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } From 758f44bfcbc6da19d3ae5343744b5901abef85f5 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 16 Dec 2024 10:17:15 -0500 Subject: [PATCH 013/342] chore: updates wording MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vladimír Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 36e1e147fd..c179368723 100644 --- a/src/oas.md +++ b/src/oas.md @@ -44,7 +44,7 @@ Each template expression in the path MUST correspond to a path parameter that is The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). -The path templating expression is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax +The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax ```abnf ; OpenAPI Path Templating ABNF syntax From e4caedca6906ee964690e8879a06eee7edc2fabc Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 17 Dec 2024 07:03:06 -0500 Subject: [PATCH 014/342] chore: moves RFC references outside of ABNF block for path templates Signed-off-by: Vincent Biret --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index c179368723..94d983c302 100644 --- a/src/oas.md +++ b/src/oas.md @@ -47,14 +47,12 @@ The value for these path parameters MUST NOT contain any unescaped "generic synt The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax ```abnf -; OpenAPI Path Templating ABNF syntax path-template = "/" *( path-segment "/" ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } -; Characters definitions (from RFC 3986) pchar = unreserved / pct-encoded / sub-delims / ":" / "@" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" pct-encoded = "%" HEXDIG HEXDIG @@ -65,6 +63,8 @@ DIGIT = %x30-39 ; 0-9 HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" ``` +Here, all characters definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The path-template is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). + ### Media Types Media type definitions are spread across several resources. From 3063a8938aca11275053313c93748b86b0f15f82 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 17 Dec 2024 07:37:12 -0500 Subject: [PATCH 015/342] chore: adds missing quotes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vladimír Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 94d983c302..671687f7a3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -63,7 +63,7 @@ DIGIT = %x30-39 ; 0-9 HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" ``` -Here, all characters definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The path-template is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). +Here, all characters definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). ### Media Types From a2873d805a7bc4f8350daa3bca0165f78202ba44 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 17 Dec 2024 07:43:43 -0500 Subject: [PATCH 016/342] chore: removes basic alpha digit hexdig definition Signed-off-by: Vincent Biret --- src/oas.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 94d983c302..4280480e57 100644 --- a/src/oas.md +++ b/src/oas.md @@ -58,9 +58,6 @@ unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" pct-encoded = "%" HEXDIG HEXDIG sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" -ALPHA = %x41-5A / %x61-7A ; A-Z / a-z -DIGIT = %x30-39 ; 0-9 -HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F" ``` Here, all characters definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The path-template is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). From 72d93b893b49fc26ea6d3b9439090d9bb127a670 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 18 Dec 2024 07:40:32 -0500 Subject: [PATCH 017/342] chore: explicitly lists out which definitions come from another RFC Signed-off-by: Vincent Biret --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 943834275a..4106fbc320 100644 --- a/src/oas.md +++ b/src/oas.md @@ -60,7 +60,7 @@ sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" ``` -Here, all characters definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). +Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). ### Media Types From ee4b87100db09ea10b5ec45b165ed9abf649bb03 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 18 Dec 2024 07:56:56 -0500 Subject: [PATCH 018/342] docs: adds server url template anbf Signed-off-by: Vincent Biret --- src/oas.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/oas.md b/src/oas.md index a5d98bdd8b..7a38e676a0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -557,6 +557,23 @@ servers: An object representing a Server Variable for server URL template substitution. +The server URL templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax. + +```abnf +server-url-template = 1*( server-literal / template-expression ) +server-literal = 1*pchar +template-expression = "{" template-expression-param-name "}" +template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } + +pchar = unreserved / pct-encoded / sub-delims / ":" / "@" +unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" +pct-encoded = "%" HEXDIG HEXDIG +sub-delims = "!" / "$" / "&" / "'" / "(" / ")" + / "*" / "+" / "," / ";" / "=" +``` + +Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). + ##### Fixed Fields | Field Name | Type | Description | From a89f36dd50846d82d528e36b87f1098cc6774b87 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 19 Dec 2024 13:26:16 -0500 Subject: [PATCH 019/342] fix: expands the allowed set for server templates literal Signed-off-by: Vincent Biret --- src/oas.md | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index 7a38e676a0..e57c48d1bf 100644 --- a/src/oas.md +++ b/src/oas.md @@ -560,19 +560,28 @@ An object representing a Server Variable for server URL template substitution. The server URL templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax. ```abnf -server-url-template = 1*( server-literal / template-expression ) -server-literal = 1*pchar +server-url-template = 1*( literals / template-expression ) template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +literals = 1*( %x21 / %x23-24 / %x26 / %x28-3B / %x3D / %x3F-5B + / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate + / pct-encoded) + ; any Unicode character except: CTL, SP, + ; DQUOTE, "'", "%" (aside from pct-encoded), + ; "<", ">", "\", "^", "`", "{", "|", "}" + -pchar = unreserved / pct-encoded / sub-delims / ":" / "@" -unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" pct-encoded = "%" HEXDIG HEXDIG -sub-delims = "!" / "$" / "&" / "'" / "(" / ")" - / "*" / "+" / "," / ";" / "=" +ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF + / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD + / %x40000-4FFFD / %x50000-5FFFD / %x60000-6FFFD + / %x70000-7FFFD / %x80000-8FFFD / %x90000-9FFFD + / %xA0000-AFFFD / %xB0000-BFFFD / %xC0000-CFFFD + / %xD0000-DFFFD / %xE1000-EFFFD +iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD ``` -Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). +Here, `pct-encoded`, `uschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570). ##### Fixed Fields From 72eec2970fe52c99bbcc407319197a73bccb2b72 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 19 Dec 2024 14:41:38 -0500 Subject: [PATCH 020/342] fix: adds literals to the list of imported definitions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vladimír Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e57c48d1bf..cf9e2bce4e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -581,7 +581,7 @@ ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD ``` -Here, `pct-encoded`, `uschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570). +Here, `literals`, `pct-encoded`, `uschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570). ##### Fixed Fields From cf00256ec279bef554a221efe1401718badb7bea Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 19 Dec 2024 14:42:24 -0500 Subject: [PATCH 021/342] nit: groups literals with the imported definitions --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index cf9e2bce4e..880143700f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -563,14 +563,13 @@ The server URL templating is defined by the following [ABNF](https://tools.ietf. server-url-template = 1*( literals / template-expression ) template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } + literals = 1*( %x21 / %x23-24 / %x26 / %x28-3B / %x3D / %x3F-5B / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate / pct-encoded) ; any Unicode character except: CTL, SP, ; DQUOTE, "'", "%" (aside from pct-encoded), ; "<", ">", "\", "^", "`", "{", "|", "}" - - pct-encoded = "%" HEXDIG HEXDIG ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD From 069f2be573bbda83192ce8c5d3b92ac95402676b Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 19 Dec 2024 14:44:18 -0500 Subject: [PATCH 022/342] nit: aligns literal definition Signed-off-by: Vincent Biret --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 880143700f..2aaf37f801 100644 --- a/src/oas.md +++ b/src/oas.md @@ -564,12 +564,12 @@ server-url-template = 1*( literals / template-expression ) template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } -literals = 1*( %x21 / %x23-24 / %x26 / %x28-3B / %x3D / %x3F-5B - / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate - / pct-encoded) - ; any Unicode character except: CTL, SP, - ; DQUOTE, "'", "%" (aside from pct-encoded), - ; "<", ">", "\", "^", "`", "{", "|", "}" +literals = 1*( %x21 / %x23-24 / %x26 / %x28-3B / %x3D / %x3F-5B + / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate + / pct-encoded) + ; any Unicode character except: CTL, SP, + ; DQUOTE, "'", "%" (aside from pct-encoded), + ; "<", ">", "\", "^", "`", "{", "|", "}" pct-encoded = "%" HEXDIG HEXDIG ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD From e3f9dca10863ec853da8325d577fa13e5ab2efe9 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 20 Dec 2024 08:41:55 -0500 Subject: [PATCH 023/342] fix: updates literals with content from errata Co-authored-by: Ralf Handl --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 2aaf37f801..90348a8c89 100644 --- a/src/oas.md +++ b/src/oas.md @@ -564,11 +564,11 @@ server-url-template = 1*( literals / template-expression ) template-expression = "{" template-expression-param-name "}" template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } -literals = 1*( %x21 / %x23-24 / %x26 / %x28-3B / %x3D / %x3F-5B +literals = 1*( %x21 / %x23-24 / %x26-3B / %x3D / %x3F-5B / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate / pct-encoded) ; any Unicode character except: CTL, SP, - ; DQUOTE, "'", "%" (aside from pct-encoded), + ; DQUOTE, "%" (aside from pct-encoded), ; "<", ">", "\", "^", "`", "{", "|", "}" pct-encoded = "%" HEXDIG HEXDIG ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF From d1ce2592614b2b317443483fb99c5e666613cdb6 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 20 Dec 2024 08:44:50 -0500 Subject: [PATCH 024/342] nit: changes the server variable name to avoid confusion and allow for diverging future updates Signed-off-by: Vincent Biret --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 90348a8c89..6817adc236 100644 --- a/src/oas.md +++ b/src/oas.md @@ -560,9 +560,9 @@ An object representing a Server Variable for server URL template substitution. The server URL templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax. ```abnf -server-url-template = 1*( literals / template-expression ) -template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +server-url-template = 1*( literals / server-variable ) +server-variable = "{" server-variable-name "}" +server-variable-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } literals = 1*( %x21 / %x23-24 / %x26-3B / %x3D / %x3F-5B / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate From 45f197af3e8e17cad2e86773147fc22ce66d3657 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 23 Dec 2024 07:31:37 -0500 Subject: [PATCH 025/342] fix: adds mention that errata has been applied MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vladimír Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 6817adc236..2aed4825aa 100644 --- a/src/oas.md +++ b/src/oas.md @@ -580,7 +580,7 @@ ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD ``` -Here, `literals`, `pct-encoded`, `uschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570). +Here, `literals`, `pct-encoded`, `ucschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570), incorporating the corrections specified in [Errata 6937](https://www.rfc-editor.org/errata/eid6937) for `literals`. ##### Fixed Fields From 0d02843805c877848bbd4fda9c944a17a06c43f0 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 25 Dec 2024 21:45:55 +0100 Subject: [PATCH 026/342] Fix Path Templating ABNF grammar template-expression-param-name was excluding "z" character. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4106fbc320..e49407216b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -51,7 +51,7 @@ path-template = "/" *( path-segment "/" ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } pchar = unreserved / pct-encoded / sub-delims / ":" / "@" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" From bfd5088cab1783943bbfaf379e11eb4b7c85bb99 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 27 Dec 2024 08:29:38 -0500 Subject: [PATCH 027/342] fix: missing z character MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vladimír Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 2aed4825aa..319af5fadc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -562,7 +562,7 @@ The server URL templating is defined by the following [ABNF](https://tools.ietf. ```abnf server-url-template = 1*( literals / server-variable ) server-variable = "{" server-variable-name "}" -server-variable-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +server-variable-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } literals = 1*( %x21 / %x23-24 / %x26-3B / %x3D / %x3F-5B / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate From 6e4f8d68b2108edc4105a822f41eca0e445bcb7e Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 27 Dec 2024 08:32:01 -0500 Subject: [PATCH 028/342] fix: missing z in url templating Signed-off-by: Vincent Biret --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index cf47e164eb..2ffed2bc76 100644 --- a/src/oas.md +++ b/src/oas.md @@ -51,7 +51,7 @@ path-template = "/" *( path-segment "/" ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( %x00-79 / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } pchar = unreserved / pct-encoded / sub-delims / ":" / "@" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" From f822af73874e9b8ff61e5b98c1f37904b1471934 Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Fri, 3 Jan 2025 16:03:30 +0000 Subject: [PATCH 029/342] Add more fields to the tag object, from the proposal --- src/oas.md | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 2ffed2bc76..80f4719b98 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2687,9 +2687,12 @@ It is not mandatory to have a Tag Object per tag defined in the Operation Object | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the tag. | +| name | `string` | **REQUIRED**. The name of the tag. Use this value in the `tags` array of an Operation. | +| summary | `string` | A short summary of the tag, used for display purposes. | | description | `string` | A description for the tag. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this tag. | +| parent | `string` | The `name` of a tag that this tags is nested under. The named tag MUST exist in the API description, and circular references between parent and child tags MUST NOT be used. | +| kind | `string` | A machine-readable string to categorize what sort of tag it is. Common uses are `nav` for Navigation, `badge` for badges, `internal` for internal APIs, but any string value can be used. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2697,14 +2700,42 @@ This object MAY be extended with [Specification Extensions](#specification-exten ```json { - "name": "pet", - "description": "Pets operations" + "name": "account-updates", + "summary": "Account Updates", + "description": "Account update operations", + "kind": "nav" +}, +{ + "name": "partner", + "summary": "Partner", + "description": "Operations available to the partners network", + "parent": "external", + "kind": "audience" +}, +{ + "name": "external", + "summary": "External", + "description": "Operations available to external consumers", + "kind": "audience" } ``` ```yaml -name: pet -description: Pets operations +- name: account-updates + summary: Account Updates + description: Account update operations + kind: nav + +- name: partner + summary: Partner + description: Operations available to the partners network + parent: external + kind: audience + +- name: external + summary: External + description: Operations available to external consumers + kind: audience ``` #### Reference Object From d3d86330a0a97d536ac5ac8692c4a772390bfbcb Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Fri, 3 Jan 2025 17:41:01 +0000 Subject: [PATCH 030/342] Better formatting of examples --- src/oas.md | 72 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/src/oas.md b/src/oas.md index 80f4719b98..94f8aa039a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2699,43 +2699,47 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Tag Object Example ```json -{ - "name": "account-updates", - "summary": "Account Updates", - "description": "Account update operations", - "kind": "nav" -}, -{ - "name": "partner", - "summary": "Partner", - "description": "Operations available to the partners network", - "parent": "external", - "kind": "audience" -}, -{ - "name": "external", - "summary": "External", - "description": "Operations available to external consumers", - "kind": "audience" -} +"tags": [ + { + "name": "account-updates", + "summary": "Account Updates", + "description": "Account update operations", + "kind": "nav" + }, + { + "name": "partner", + "summary": "Partner", + "description": "Operations available to the partners network", + "parent": "external", + "kind": "audience" + }, + { + "name": "external", + "summary": "External", + "description": "Operations available to external consumers", + "kind": "audience" + } +] ``` ```yaml -- name: account-updates - summary: Account Updates - description: Account update operations - kind: nav - -- name: partner - summary: Partner - description: Operations available to the partners network - parent: external - kind: audience - -- name: external - summary: External - description: Operations available to external consumers - kind: audience +tags: + + - name: account-updates + summary: Account Updates + description: Account update operations + kind: nav + + - name: partner + summary: Partner + description: Operations available to the partners network + parent: external + kind: audience + + - name: external + summary: External + description: Operations available to external consumers + kind: audience ``` #### Reference Object From 3b31b7ef690c311f64c4048d04e84c6c18eebf11 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 7 Jan 2025 09:41:12 -0500 Subject: [PATCH 031/342] docs: adds links to annex C in path and server templating sections Signed-off-by: Vincent Biret --- src/oas.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/oas.md b/src/oas.md index 2ffed2bc76..28ea21f529 100644 --- a/src/oas.md +++ b/src/oas.md @@ -62,6 +62,8 @@ sub-delims = "!" / "$" / "&" / "'" / "(" / ")" Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + ### Media Types Media type definitions are spread across several resources. @@ -600,6 +602,8 @@ iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD Here, `literals`, `pct-encoded`, `ucschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570), incorporating the corrections specified in [Errata 6937](https://www.rfc-editor.org/errata/eid6937) for `literals`. +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + ##### Fixed Fields | Field Name | Type | Description | From b87e39c4df75053a233ab3c30d8d2be27dd4cb34 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 9 Jan 2025 08:17:01 -0500 Subject: [PATCH 032/342] fix: adds reference to paths object guidance from server variables Signed-off-by: Vincent Biret --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 28ea21f529..a54e56835b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -602,7 +602,7 @@ iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD Here, `literals`, `pct-encoded`, `ucschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570), incorporating the corrections specified in [Errata 6937](https://www.rfc-editor.org/errata/eid6937) for `literals`. -See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. +See the [Paths Object](#paths-object) for guidance on constructing full request URLs. ##### Fixed Fields From a055eca66fd83b8b8ef3098f2a101f166e7d501d Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Fri, 10 Jan 2025 12:19:21 +0000 Subject: [PATCH 033/342] Improve tag kind wording and link registry --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 94f8aa039a..b33ce9cd32 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2692,7 +2692,7 @@ It is not mandatory to have a Tag Object per tag defined in the Operation Object | description | `string` | A description for the tag. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this tag. | | parent | `string` | The `name` of a tag that this tags is nested under. The named tag MUST exist in the API description, and circular references between parent and child tags MUST NOT be used. | -| kind | `string` | A machine-readable string to categorize what sort of tag it is. Common uses are `nav` for Navigation, `badge` for badges, `internal` for internal APIs, but any string value can be used. | +| kind | `string` | A machine-readable string to categorize what sort of tag it is. Any string value can be used; common uses are `nav` for Navigation, `badge` for visible badges, `audience` for APIs used by different groups. A [registry of the most commonly used values](https://spec.openapis.org/registry/tag-kind/) is available. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 581391aa7582ae3c0afc93aff9dda3687835eb70 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 10 Jan 2025 16:41:10 +0100 Subject: [PATCH 034/342] Typo Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index b33ce9cd32..3999e66d2f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2691,7 +2691,7 @@ It is not mandatory to have a Tag Object per tag defined in the Operation Object | summary | `string` | A short summary of the tag, used for display purposes. | | description | `string` | A description for the tag. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this tag. | -| parent | `string` | The `name` of a tag that this tags is nested under. The named tag MUST exist in the API description, and circular references between parent and child tags MUST NOT be used. | +| parent | `string` | The `name` of a tag that this tag is nested under. The named tag MUST exist in the API description, and circular references between parent and child tags MUST NOT be used. | | kind | `string` | A machine-readable string to categorize what sort of tag it is. Any string value can be used; common uses are `nav` for Navigation, `badge` for visible badges, `audience` for APIs used by different groups. A [registry of the most commonly used values](https://spec.openapis.org/registry/tag-kind/) is available. | This object MAY be extended with [Specification Extensions](#specification-extensions). From f1d562908b111856a1cc30e0844b745cf8bc4a6a Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Thu, 6 Feb 2025 13:17:05 -0600 Subject: [PATCH 035/342] First draft of optional discriminator feature --- src/oas.md | 242 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 141 insertions(+), 101 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4f025228b4..0d5d98083a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2832,7 +2832,7 @@ JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI | Field Name | Type | Description | | ---- | :----: | ---- | -| discriminator | [Discriminator Object](#discriminator-object) | Adds support for polymorphism. The discriminator is used to determine which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | +| discriminator | [Discriminator Object](#discriminator-object) | The discriminator provides a "hint" for which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | | xml | [XML Object](#xml-object) | This MAY be used only on property schemas. It has no effect on root schemas. Adds additional metadata to describe the XML representation of this property. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this schema. | | example | Any | A free-form field to include an example of an instance for this schema. To represent examples that cannot be naturally represented in JSON or YAML, a string value can be used to contain the example with escaping where necessary.

**Deprecated:** The `example` field has been deprecated in favor of the JSON Schema `examples` keyword. Use of `example` is discouraged, and later versions of this specification may remove it. | @@ -2870,9 +2870,15 @@ The OpenAPI Specification allows combining and extending model definitions using `allOf` takes an array of object definitions that are validated _independently_ but together compose a single object. While composition offers model extensibility, it does not imply a hierarchy between the models. -To support polymorphism, the OpenAPI Specification adds the [`discriminator`](#schema-discriminator) field. -When used, the `discriminator` indicates the name of the property that hints which schema definition is expected to validate the structure of the model. -As such, the `discriminator` field MUST be a required field. + +JSON Schema also provides the `anyOf` and `oneOf` keywords, which allow defining multiple schemas where at least one or exactly one of them must be valid, respectively. +As is the case with `allOf`, the schemas are validated _independently_. +These keywords can be used to describe polymorphism, where a single field can accept multiple types of values. + +The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field. +When used, the `discriminator` indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. +The `discriminator` property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. + There are two ways to define the value of a discriminator for an inheriting instance. * Use the schema name. @@ -3135,71 +3141,58 @@ components: ###### Models with Polymorphism Support -```json -{ - "components": { - "schemas": { - "Pet": { - "type": "object", - "discriminator": { - "propertyName": "petType" - }, - "properties": { - "name": { - "type": "string" - }, - "petType": { - "type": "string" - } - }, - "required": ["name", "petType"] - }, - "Cat": { - "description": "A representation of a cat. Note that `Cat` will be used as the discriminating value.", - "allOf": [ - { - "$ref": "#/components/schemas/Pet" - }, - { - "type": "object", - "properties": { - "huntingSkill": { - "type": "string", - "description": "The measured skill for hunting", - "default": "lazy", - "enum": ["clueless", "lazy", "adventurous", "aggressive"] - } - }, - "required": ["huntingSkill"] - } - ] - }, - "Dog": { - "description": "A representation of a dog. Note that `Dog` will be used as the discriminating value.", - "allOf": [ - { - "$ref": "#/components/schemas/Pet" - }, - { - "type": "object", - "properties": { - "packSize": { - "type": "integer", - "format": "int32", - "description": "the size of the pack the dog is from", - "default": 0, - "minimum": 0 - } - }, - "required": ["packSize"] - } - ] - } - } - } -} +The following example describes a `Pet` model that can represent either a cat or a dog, as distinguished by the `petType` property. Each type of pet has other properties beyond those of the base `Pet` model. An instance without a `petType` property, or with a `petType` property that does not match either `cat` or `dog`, is invalid. + +```yaml +components: + schemas: + Pet: + type: object + properties: + name: + type: string + required: + - name + - petType + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + Cat: + description: A pet cat + type: object + properties: + petType: + const: 'cat' + huntingSkill: + type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: A pet dog + type: object + properties: + petType: + const: 'dog' + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize ``` +###### Models with Polymorphism Support and a Discriminator field + +The following example extends the example of the previous section by adding a `discriminator` field to the `Pet` model. Note that the `discriminator` is only a hint to the consumer of the API, and does not change the validation outcome of the schema. + ```yaml components: schemas: @@ -3207,44 +3200,49 @@ components: type: object discriminator: propertyName: petType + mapping: + cat: '#/components/schemas/Cat' + dog: '#/components/schemas/Dog' properties: name: type: string + required: + - name + - petType + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + Cat: + description: A pet cat + type: object + properties: petType: + const: 'cat' + huntingSkill: type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: A pet dog + type: object + properties: + petType: + const: 'dog' + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 required: - - name - petType - Cat: # "Cat" will be used as the discriminating value - description: A representation of a cat - allOf: - - $ref: '#/components/schemas/Pet' - - type: object - properties: - huntingSkill: - type: string - description: The measured skill for hunting - enum: - - clueless - - lazy - - adventurous - - aggressive - required: - - huntingSkill - Dog: # "Dog" will be used as the discriminating value - description: A representation of a dog - allOf: - - $ref: '#/components/schemas/Pet' - - type: object - properties: - packSize: - type: integer - format: int32 - description: the size of the pack the dog is from - default: 0 - minimum: 0 - required: - - packSize + - packSize ``` ###### Generic Data Structure Model @@ -3362,7 +3360,9 @@ components: #### Discriminator Object -When request bodies or response payloads may be one of a number of different schemas, a Discriminator Object gives a hint about the expected schema of the document. +When request bodies or response payloads may be one of a number of different schemas, these should use the JSON Schema `anyOf` or `oneOf` keywords to describe the possible schemas (see [Composition and Inheritance](#composition-and-inheritance-polymorphism)). + +A polymorphic schema MAY include a `discriminator` field, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. @@ -3372,8 +3372,9 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the property in the payload that will hold the discriminating value. This property SHOULD be required in the payload schema, as the behavior when the property is absent is undefined. | +| propertyName | `string` | **REQUIRED**. The name of the property in the payload that will hold the discriminating value. This property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema is expected to validate the structure of the model. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | +| default | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the `discriminator` property is not present in the payload. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -3395,12 +3396,29 @@ The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminato The value of the property named in `propertyName` is used as the name of the associated schema under the [Components Object](#components-object), _unless_ a `mapping` is present for that value. The `mapping` entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. When using implicit or explicit schema component names, inline `oneOf` or `anyOf` subschemas are not considered. -The behavior of a `mapping` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. +The behavior of a `mapping` value or `default` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI reference by all implementations, authors MUST prefix it with the `"."` path segment (e.g. `"./foo"`). Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined. +##### Optional `discriminator` property + +When the `discriminator` property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema that is expected to validate the structure of the model when the `discriminator` property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. + +The primary use case for an optional `discriminator` property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminator property. + +Typically the schema specified in the `default` field will specify that the `discriminator` property is not present, e.g. + +```yaml +OtherPet: + type: object + not: + required: ['petType'] +``` + +This will prevent the default schema from validating a payload that includes the `discriminator` property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. + ##### Examples For these examples, assume all schemas are in the [entry document](#openapi-description-structure) of the OAD; for handling of `discriminator` in referenced documents see [Resolving Implicit Connections](#resolving-implicit-connections). @@ -3458,6 +3476,28 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. +When the `discriminator` property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the `discriminator` property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. + +For example: + +```yaml +MyResponseType: + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + - $ref: '#/components/schemas/Lizard' + - $ref: '#/components/schemas/OtherPet' + discriminator: + propertyName: petType + default: OtherPet +OtherPet: + type: object + not: + required: ['petType'] +``` + +In this example, if the `petType` property is not present in the payload, the payload should validate against the `OtherPet` schema. + This example shows the `allOf` usage, which avoids needing to reference all child schemas in the parent: ```yaml From 6c91a0b19e9e655f402db7ad60e344e5e0771343 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Sun, 9 Feb 2025 10:14:50 -0600 Subject: [PATCH 036/342] Address comments from PR review --- src/oas.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0d5d98083a..ccb4b6e92a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2877,7 +2877,7 @@ These keywords can be used to describe polymorphism, where a single field can ac The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field. When used, the `discriminator` indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. -The `discriminator` property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. +The discriminating property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. There are two ways to define the value of a discriminator for an inheriting instance. @@ -3372,9 +3372,9 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the property in the payload that will hold the discriminating value. This property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema is expected to validate the structure of the model. | +| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the `discriminator` field must include a `default` field that specifies which schema is expected to validate the structure of the model. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | -| default | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the `discriminator` property is not present in the payload. | +| default | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -3402,13 +3402,13 @@ To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI re Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined. -##### Optional `discriminator` property +##### Optional discriminating property -When the `discriminator` property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema that is expected to validate the structure of the model when the `discriminator` property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. -The primary use case for an optional `discriminator` property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminator property. +The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminator property. -Typically the schema specified in the `default` field will specify that the `discriminator` property is not present, e.g. +Typically the schema specified in the `default` field will specify that the discriminating property is not present, e.g. ```yaml OtherPet: @@ -3417,7 +3417,7 @@ OtherPet: required: ['petType'] ``` -This will prevent the default schema from validating a payload that includes the `discriminator` property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. +This will prevent the default schema from validating a payload that includes the discriminating property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. ##### Examples @@ -3476,7 +3476,7 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. -When the `discriminator` property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the `discriminator` property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. For example: From 9faf0311546ca5666fa488a83b2ccd3b42300ee3 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Tue, 11 Feb 2025 08:31:55 -0600 Subject: [PATCH 037/342] Apply suggestions from PR review Co-authored-by: Jeremy Fiel <32110157+jeremyfiel@users.noreply.github.com> --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index ccb4b6e92a..6d83ae1dc7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3406,7 +3406,7 @@ However, the exact nature of such conversions are implementation-defined. When the discriminating property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. -The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminator property. +The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. Typically the schema specified in the `default` field will specify that the discriminating property is not present, e.g. From 7ebde1428df16d1e007c913a8e838c3f3d340ace Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Tue, 11 Feb 2025 08:39:56 -0600 Subject: [PATCH 038/342] Use defaultMapping keyword in discriminator --- src/oas.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index 6d83ae1dc7..287f9eb6d6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2877,7 +2877,7 @@ These keywords can be used to describe polymorphism, where a single field can ac The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field. When used, the `discriminator` indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. -The discriminating property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `default` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. +The discriminating property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present. There are two ways to define the value of a discriminator for an inheriting instance. @@ -3372,9 +3372,9 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the `discriminator` field must include a `default` field that specifies which schema is expected to validate the structure of the model. | +| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the `discriminator` field must include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when no discriminating property is present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | -| default | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | +| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -3404,11 +3404,11 @@ However, the exact nature of such conversions are implementation-defined. ##### Optional discriminating property -When the discriminating property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the `discriminator` field must include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. -Typically the schema specified in the `default` field will specify that the discriminating property is not present, e.g. +Typically the schema specified in the `defaultMapping` field will specify that the discriminating property is not present, e.g. ```yaml OtherPet: @@ -3417,7 +3417,7 @@ OtherPet: required: ['petType'] ``` -This will prevent the default schema from validating a payload that includes the discriminating property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. +This will prevent the default mapping schema from validating a payload that includes the discriminating property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. ##### Examples @@ -3476,7 +3476,7 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. -When the discriminating property is defined as optional, the `discriminator` field must include a `default` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the `discriminator` field must include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. For example: @@ -3489,7 +3489,7 @@ MyResponseType: - $ref: '#/components/schemas/OtherPet' discriminator: propertyName: petType - default: OtherPet + defaultMapping: OtherPet OtherPet: type: object not: From 0d996cc6aca4d0f33a0db53e9c928b9ebcf13433 Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Thu, 13 Feb 2025 12:06:03 +0000 Subject: [PATCH 039/342] Add new tags fields to schema --- src/schemas/validation/schema.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 54c49a2f97..88148f6847 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -702,10 +702,16 @@ $defs: properties: name: type: string + summary: + type: string description: type: string externalDocs: $ref: '#/$defs/external-documentation' + parent: + type: string + kind: + type: string required: - name $ref: '#/$defs/specification-extensions' From 94700fd7e3fd4ac4fa1550cd6a5ab7eb7b468270 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Fri, 14 Feb 2025 14:28:16 -0600 Subject: [PATCH 040/342] Prefer Discriminator Object terminology --- src/oas.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/oas.md b/src/oas.md index 287f9eb6d6..016f0d0e7e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2875,11 +2875,11 @@ JSON Schema also provides the `anyOf` and `oneOf` keywords, which allow defining As is the case with `allOf`, the schemas are validated _independently_. These keywords can be used to describe polymorphism, where a single field can accept multiple types of values. -The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field. -When used, the `discriminator` indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. -The discriminating property may be defined as required or optional, but when defined as an optional property the `discriminator` field must include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present. +The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field whose value is a [Discriminator Object](#discriminator-object). +When used, the Discriminator Object indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. +The discriminating property may be defined as required or optional, but when defined as an optional property the Discriminator Object must include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present. -There are two ways to define the value of a discriminator for an inheriting instance. +There are two ways to define the value of a discriminating property for an inheriting instance. * Use the schema name. * [Override the schema name](#discriminator-mapping) by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. @@ -3189,9 +3189,9 @@ components: - packSize ``` -###### Models with Polymorphism Support and a Discriminator field +###### Models with Polymorphism Support and a Discriminator Object -The following example extends the example of the previous section by adding a `discriminator` field to the `Pet` model. Note that the `discriminator` is only a hint to the consumer of the API, and does not change the validation outcome of the schema. +The following example extends the example of the previous section by adding a [Discriminator Object](#discriminator-object) to the `Pet` schema. Note that the Discriminator Object is only a hint to the consumer of the API, and does not change the validation outcome of the schema. ```yaml components: @@ -3362,7 +3362,7 @@ components: When request bodies or response payloads may be one of a number of different schemas, these should use the JSON Schema `anyOf` or `oneOf` keywords to describe the possible schemas (see [Composition and Inheritance](#composition-and-inheritance-polymorphism)). -A polymorphic schema MAY include a `discriminator` field, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. +A polymorphic schema MAY include a Discriminator Object, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. @@ -3372,7 +3372,7 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the `discriminator` field must include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when no discriminating property is present. | +| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the Discriminator Object must include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when no discriminating property is present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | | defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | @@ -3404,7 +3404,7 @@ However, the exact nature of such conversions are implementation-defined. ##### Optional discriminating property -When the discriminating property is defined as optional, the `discriminator` field must include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) must include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminating property is missing. The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. @@ -3433,7 +3433,7 @@ MyResponseType: - $ref: '#/components/schemas/Lizard' ``` -which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The `discriminator` field cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: +which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The Discriminator Object cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: ```yaml MyResponseType: @@ -3456,7 +3456,7 @@ The expectation now is that a property with name `petType` _MUST_ be present in will indicate that the `Cat` schema is expected to match this payload. -In scenarios where the value of the `discriminator` field does not match the schema name or implicit mapping is not possible, an optional `mapping` definition MAY be used: +In scenarios where the value of the discriminating property does not match the schema name or implicit mapping is not possible, an optional `mapping` definition MAY be used: ```yaml MyResponseType: @@ -3476,7 +3476,7 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. -When the discriminating property is defined as optional, the `discriminator` field must include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the Discriminator Object must include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. For example: From d36a8ffbfa44b751e413dee7d729e49befcc518d Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Fri, 14 Feb 2025 19:59:38 -0600 Subject: [PATCH 041/342] More updates for PR review comments --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 016f0d0e7e..02f9f3357d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2877,7 +2877,7 @@ These keywords can be used to describe polymorphism, where a single field can ac The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field whose value is a [Discriminator Object](#discriminator-object). When used, the Discriminator Object indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. -The discriminating property may be defined as required or optional, but when defined as an optional property the Discriminator Object must include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present. +The discriminating property MAY be defined as required or optional, but when defined as an optional property the Discriminator Object MUST include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf`, or which schema that references the current schema in an `allOf`, is expected to validate the structure of the model when the discriminating property is not present. There are two ways to define the value of a discriminating property for an inheriting instance. @@ -3362,7 +3362,7 @@ components: When request bodies or response payloads may be one of a number of different schemas, these should use the JSON Schema `anyOf` or `oneOf` keywords to describe the possible schemas (see [Composition and Inheritance](#composition-and-inheritance-polymorphism)). -A polymorphic schema MAY include a Discriminator Object, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf` is expected to validate the structure of the model. +A polymorphic schema MAY include a Discriminator Object, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf`, or which schema that references the current schema in an `allOf`, is expected to validate the structure of the model. This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. @@ -3372,7 +3372,7 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property may be defined as required or optional, but when defined as optional the Discriminator Object must include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when no discriminating property is present. | +| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property MAY be defined as required or optional, but when defined as optional the Discriminator Object MUST include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when the discriminating property is not present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | | defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | @@ -3396,7 +3396,7 @@ The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminato The value of the property named in `propertyName` is used as the name of the associated schema under the [Components Object](#components-object), _unless_ a `mapping` is present for that value. The `mapping` entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. When using implicit or explicit schema component names, inline `oneOf` or `anyOf` subschemas are not considered. -The behavior of a `mapping` value or `default` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. +The behavior of a `mapping` value or `defaultMapping` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI reference by all implementations, authors MUST prefix it with the `"."` path segment (e.g. `"./foo"`). Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. @@ -3404,7 +3404,7 @@ However, the exact nature of such conversions are implementation-defined. ##### Optional discriminating property -When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) must include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminating property is missing. +When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminating property is missing. The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. @@ -3476,7 +3476,7 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. -When the discriminating property is defined as optional, the Discriminator Object must include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the Discriminator Object MUST include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. For example: From 27216de196cd2992dbda2067340ca680b3cd70c8 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Fri, 14 Feb 2025 20:19:00 -0600 Subject: [PATCH 042/342] Add back polymorphic example using allOf --- src/oas.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/oas.md b/src/oas.md index 02f9f3357d..a85c0835d5 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3245,6 +3245,57 @@ components: - packSize ``` +###### Models with Polymorphism Support using allOf and a Discriminator Object + +It is also possible to describe polymorphic models using `allOf`. The following example uses `allOf` with a [Discriminator Object](#discriminator-object) to describe a polymorphic `Pet` model. + +```yaml +components: + schemas: + Pet: + type: object + discriminator: + propertyName: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: # "Cat" will be used as the discriminating value + description: A representation of a cat + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: # "Dog" will be used as the discriminating value + description: A representation of a dog + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize +``` + ###### Generic Data Structure Model ```JSON From 3f82212b37fffd52d70c999c62d6052de1b9a1aa Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 17 Feb 2025 11:41:42 +0100 Subject: [PATCH 043/342] Apply suggestions from code review Co-authored-by: Jeremy Fiel <32110157+jeremyfiel@users.noreply.github.com> --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index a85c0835d5..fac5cc3ec8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3484,7 +3484,7 @@ MyResponseType: - $ref: '#/components/schemas/Lizard' ``` -which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The Discriminator Object cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: +which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The [Discriminator Object](#discriminator-object) cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: ```yaml MyResponseType: From 4018f807c449a19806ec218c82bbec2c14959a0c Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 17 Feb 2025 11:57:01 +0100 Subject: [PATCH 044/342] Update src/oas.md --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index fac5cc3ec8..574d571e67 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3191,7 +3191,7 @@ components: ###### Models with Polymorphism Support and a Discriminator Object -The following example extends the example of the previous section by adding a [Discriminator Object](#discriminator-object) to the `Pet` schema. Note that the Discriminator Object is only a hint to the consumer of the API, and does not change the validation outcome of the schema. +The following example extends the example of the previous section by adding a [Discriminator Object](#discriminator-object) to the `Pet` schema. Note that the Discriminator Object is only a hint to the consumer of the API and does not change the validation outcome of the schema. ```yaml components: From 00d4de1776bf9515628c55d62c66f18305e26109 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 17 Feb 2025 18:21:12 +0100 Subject: [PATCH 045/342] Bump spec version to 3.2 --- src/schemas/validation/schema.yaml | 62 +++++++++++++++--------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 88148f6847..3f7e5065aa 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -1,19 +1,19 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +$id: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' $schema: 'https://json-schema.org/draft/2020-12/schema' -description: The description of OpenAPI v3.1.x Documents without Schema Object validation +description: The description of OpenAPI v3.2.x Documents without Schema Object validation type: object properties: openapi: type: string - pattern: '^3\.1\.\d+(-.+)?$' + pattern: '^3\.2\.\d+(-.+)?$' info: $ref: '#/$defs/info' jsonSchemaDialect: type: string format: uri - default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + default: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' servers: type: array items: @@ -53,7 +53,7 @@ unevaluatedProperties: false $defs: info: - $comment: https://spec.openapis.org/oas/v3.1#info-object + $comment: https://spec.openapis.org/oas/v3.2#info-object type: object properties: title: @@ -78,7 +78,7 @@ $defs: unevaluatedProperties: false contact: - $comment: https://spec.openapis.org/oas/v3.1#contact-object + $comment: https://spec.openapis.org/oas/v3.2#contact-object type: object properties: name: @@ -93,7 +93,7 @@ $defs: unevaluatedProperties: false license: - $comment: https://spec.openapis.org/oas/v3.1#license-object + $comment: https://spec.openapis.org/oas/v3.2#license-object type: object properties: name: @@ -114,7 +114,7 @@ $defs: unevaluatedProperties: false server: - $comment: https://spec.openapis.org/oas/v3.1#server-object + $comment: https://spec.openapis.org/oas/v3.2#server-object type: object properties: url: @@ -131,7 +131,7 @@ $defs: unevaluatedProperties: false server-variable: - $comment: https://spec.openapis.org/oas/v3.1#server-variable-object + $comment: https://spec.openapis.org/oas/v3.2#server-variable-object type: object properties: enum: @@ -149,7 +149,7 @@ $defs: unevaluatedProperties: false components: - $comment: https://spec.openapis.org/oas/v3.1#components-object + $comment: https://spec.openapis.org/oas/v3.2#components-object type: object properties: schemas: @@ -201,7 +201,7 @@ $defs: unevaluatedProperties: false paths: - $comment: https://spec.openapis.org/oas/v3.1#paths-object + $comment: https://spec.openapis.org/oas/v3.2#paths-object type: object patternProperties: '^/': @@ -210,7 +210,7 @@ $defs: unevaluatedProperties: false path-item: - $comment: https://spec.openapis.org/oas/v3.1#path-item-object + $comment: https://spec.openapis.org/oas/v3.2#path-item-object type: object properties: $ref: @@ -248,7 +248,7 @@ $defs: unevaluatedProperties: false operation: - $comment: https://spec.openapis.org/oas/v3.1#operation-object + $comment: https://spec.openapis.org/oas/v3.2#operation-object type: object properties: tags: @@ -290,7 +290,7 @@ $defs: unevaluatedProperties: false external-documentation: - $comment: https://spec.openapis.org/oas/v3.1#external-documentation-object + $comment: https://spec.openapis.org/oas/v3.2#external-documentation-object type: object properties: description: @@ -304,7 +304,7 @@ $defs: unevaluatedProperties: false parameter: - $comment: https://spec.openapis.org/oas/v3.1#parameter-object + $comment: https://spec.openapis.org/oas/v3.2#parameter-object type: object properties: name: @@ -444,7 +444,7 @@ $defs: $ref: '#/$defs/parameter' request-body: - $comment: https://spec.openapis.org/oas/v3.1#request-body-object + $comment: https://spec.openapis.org/oas/v3.2#request-body-object type: object properties: description: @@ -470,7 +470,7 @@ $defs: $ref: '#/$defs/request-body' content: - $comment: https://spec.openapis.org/oas/v3.1#fixed-fields-10 + $comment: https://spec.openapis.org/oas/v3.2#fixed-fields-10 type: object additionalProperties: $ref: '#/$defs/media-type' @@ -478,7 +478,7 @@ $defs: format: media-range media-type: - $comment: https://spec.openapis.org/oas/v3.1#media-type-object + $comment: https://spec.openapis.org/oas/v3.2#media-type-object type: object properties: schema: @@ -493,7 +493,7 @@ $defs: unevaluatedProperties: false encoding: - $comment: https://spec.openapis.org/oas/v3.1#encoding-object + $comment: https://spec.openapis.org/oas/v3.2#encoding-object type: object properties: contentType: @@ -521,7 +521,7 @@ $defs: unevaluatedProperties: false responses: - $comment: https://spec.openapis.org/oas/v3.1#responses-object + $comment: https://spec.openapis.org/oas/v3.2#responses-object type: object properties: default: @@ -540,7 +540,7 @@ $defs: required: [default] response: - $comment: https://spec.openapis.org/oas/v3.1#response-object + $comment: https://spec.openapis.org/oas/v3.2#response-object type: object properties: description: @@ -571,7 +571,7 @@ $defs: $ref: '#/$defs/response' callbacks: - $comment: https://spec.openapis.org/oas/v3.1#callback-object + $comment: https://spec.openapis.org/oas/v3.2#callback-object type: object $ref: '#/$defs/specification-extensions' additionalProperties: @@ -588,7 +588,7 @@ $defs: $ref: '#/$defs/callbacks' example: - $comment: https://spec.openapis.org/oas/v3.1#example-object + $comment: https://spec.openapis.org/oas/v3.2#example-object type: object properties: summary: @@ -617,7 +617,7 @@ $defs: $ref: '#/$defs/example' link: - $comment: https://spec.openapis.org/oas/v3.1#link-object + $comment: https://spec.openapis.org/oas/v3.2#link-object type: object properties: operationRef: @@ -651,7 +651,7 @@ $defs: $ref: '#/$defs/link' header: - $comment: https://spec.openapis.org/oas/v3.1#header-object + $comment: https://spec.openapis.org/oas/v3.2#header-object type: object properties: description: @@ -697,7 +697,7 @@ $defs: $ref: '#/$defs/header' tag: - $comment: https://spec.openapis.org/oas/v3.1#tag-object + $comment: https://spec.openapis.org/oas/v3.2#tag-object type: object properties: name: @@ -718,7 +718,7 @@ $defs: unevaluatedProperties: false reference: - $comment: https://spec.openapis.org/oas/v3.1#reference-object + $comment: https://spec.openapis.org/oas/v3.2#reference-object type: object properties: $ref: @@ -730,14 +730,14 @@ $defs: type: string schema: - $comment: https://spec.openapis.org/oas/v3.1#schema-object + $comment: https://spec.openapis.org/oas/v3.2#schema-object $dynamicAnchor: meta type: - object - boolean security-scheme: - $comment: https://spec.openapis.org/oas/v3.1#security-scheme-object + $comment: https://spec.openapis.org/oas/v3.2#security-scheme-object type: object properties: type: @@ -938,7 +938,7 @@ $defs: unevaluatedProperties: false security-requirement: - $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object + $comment: https://spec.openapis.org/oas/v3.2#security-requirement-object type: object additionalProperties: type: array @@ -946,7 +946,7 @@ $defs: type: string specification-extensions: - $comment: https://spec.openapis.org/oas/v3.1#specification-extensions + $comment: https://spec.openapis.org/oas/v3.2#specification-extensions patternProperties: '^x-': true From 92e11ec8879dcb73ecbccbd5e049e871081c8c96 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 17 Feb 2025 18:24:46 +0100 Subject: [PATCH 046/342] Bump spec version in schema files --- src/schemas/validation/dialect.yaml | 10 +++++----- src/schemas/validation/meta.yaml | 4 ++-- src/schemas/validation/schema-base.yaml | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml index d300d94feb..1986c9e8f8 100644 --- a/src/schemas/validation/dialect.yaml +++ b/src/schemas/validation/dialect.yaml @@ -1,8 +1,8 @@ -$id: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +$id: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS $schema: https://json-schema.org/draft/2020-12/schema -title: OpenAPI 3.1 Schema Object Dialect -description: A JSON Schema dialect describing schemas found in OpenAPI v3.1 Descriptions +title: OpenAPI 3.2 Schema Object Dialect +description: A JSON Schema dialect describing schemas found in OpenAPI v3.2.x Descriptions $dynamicAnchor: meta @@ -14,8 +14,8 @@ $vocabulary: https://json-schema.org/draft/2020-12/vocab/meta-data: true https://json-schema.org/draft/2020-12/vocab/unevaluated: true https://json-schema.org/draft/2020-12/vocab/validation: true - https://spec.openapis.org/oas/3.1/vocab/base: false + https://spec.openapis.org/oas/3.2/vocab/base: false allOf: - $ref: https://json-schema.org/draft/2020-12/schema - - $ref: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS + - $ref: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 6cfce4976d..7b41b36eb9 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -1,4 +1,4 @@ -$id: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS +$id: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS $schema: https://json-schema.org/draft/2020-12/schema title: OAS Base Vocabulary @@ -7,7 +7,7 @@ description: A JSON Schema Vocabulary used in the OpenAPI Schema Dialect $dynamicAnchor: meta $vocabulary: - https://spec.openapis.org/oas/3.1/vocab/base: true + https://spec.openapis.org/oas/3.2/vocab/base: true type: - object diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml index ea239c03e9..195ae5ed43 100644 --- a/src/schemas/validation/schema-base.yaml +++ b/src/schemas/validation/schema-base.yaml @@ -1,20 +1,20 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema-base/WORK-IN-PROGRESS' +$id: 'https://spec.openapis.org/oas/3.2/schema-base/WORK-IN-PROGRESS' $schema: 'https://json-schema.org/draft/2020-12/schema' -description: The description of OpenAPI v3.1.x Documents using the OpenAPI JSON Schema dialect +description: The description of OpenAPI v3.2.x Documents using the OpenAPI JSON Schema dialect -$ref: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +$ref: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' properties: jsonSchemaDialect: $ref: '#/$defs/dialect' $defs: dialect: - const: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + const: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' schema: $dynamicAnchor: meta - $ref: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + $ref: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' properties: $schema: $ref: '#/$defs/dialect' From 3c30838efcaffd9ca5279faba0bc87061bf3cd59 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 17 Feb 2025 18:33:05 +0100 Subject: [PATCH 047/342] Align terminology --- src/schemas/validation/meta.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 7b41b36eb9..eb6a9af2dd 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -2,7 +2,7 @@ $id: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS $schema: https://json-schema.org/draft/2020-12/schema title: OAS Base Vocabulary -description: A JSON Schema Vocabulary used in the OpenAPI Schema Dialect +description: A JSON Schema Vocabulary used in the OpenAPI JSON Schema Dialect $dynamicAnchor: meta From df69933f4375c5aefd6be8298d26245dd37a5b2e Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 24 Feb 2025 13:59:15 +0100 Subject: [PATCH 048/342] Reference RFC 9110 instead of RFCs 7230, 7231, and 7235 --- src/oas.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4f025228b4..9227fdfb0e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1024,7 +1024,7 @@ Describes a single API operation on a path. | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this operation. | | operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for this operation. If a parameter is already defined at the [Path Item](#path-item-parameters), the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | -| requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP 1.1 specification [RFC7231](https://tools.ietf.org/html/rfc7231#section-4.3.1) has explicitly defined semantics for request bodies. In other cases where the HTTP spec is vague (such as [GET](https://tools.ietf.org/html/rfc7231#section-4.3.1), [HEAD](https://tools.ietf.org/html/rfc7231#section-4.3.2) and [DELETE](https://tools.ietf.org/html/rfc7231#section-4.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | +| requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP specification [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3) has explicitly defined semantics for request bodies. In other cases where the HTTP spec discourages message content (such as [GET](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1) and [DELETE](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | | responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a [Callback Object](#callback-object) that describes a request that may be initiated by the API provider and the expected responses. | | deprecated | `boolean` | Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is `false`. | @@ -1179,7 +1179,7 @@ There are four possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. * query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`. -* header - Custom headers that are expected as part of the request. Note that [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. +* header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. ##### Fixed Fields @@ -1451,7 +1451,7 @@ Describes a single request body. | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2009,8 +2009,8 @@ Describes a single response from an API operation, including design-time, static | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | **REQUIRED**. A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | +| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2562,7 +2562,7 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ``` -Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `CHAR` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). The `name` identifier is case-sensitive, whereas `token` is not. @@ -3895,7 +3895,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | description | `string` | Any | A description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used. | | in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"`, or `"cookie"`. | -| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). | +| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | From c11fda753aaa018abcd669d126e6c354eee855d6 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Mon, 24 Feb 2025 08:21:20 -0600 Subject: [PATCH 049/342] Use defaultMapping for unmapped discriminating values --- src/oas.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/oas.md b/src/oas.md index 574d571e67..b5b7f1d4ad 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3425,7 +3425,7 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | ---- | :----: | ---- | | propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property MAY be defined as required or optional, but when defined as optional the Discriminator Object MUST include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when the discriminating property is not present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | -| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. | +| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -3455,20 +3455,24 @@ However, the exact nature of such conversions are implementation-defined. ##### Optional discriminating property -When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminating property is missing. +When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. This allows the schema to still be validated correctly even if the discriminating property is missing. The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. -Typically the schema specified in the `defaultMapping` field will specify that the discriminating property is not present, e.g. +When the discriminating property is defined as optional, it is important that each subschema that defines a value for the discriminating property also define the property as required, since this is no longer enforced by the parent schema. + +The `defaultMapping` schema is also expected to validate the structure of the model when the discriminating property is present but contains a value for which there is no explicit or implicit mapping. This is typically expressed in the `defaultMapping` schema by excluding any instances with mapped values of the discriminating property, e.g. ```yaml OtherPet: type: object - not: - required: ['petType'] + properties: + petType: + not: + enum: ['cat', 'dog'] ``` -This will prevent the default mapping schema from validating a payload that includes the discriminating property, which would cause a validation of the payload to fail when polymorphism is described using the `oneOf` JSON schema keyword. +This prevents the `defaultMapping` schema from validating a payload that includes the discriminating property with a mapped discriminating value, which would cause a validation to fail when polymorphism is described using the `oneOf` JSON schema keyword. ##### Examples @@ -3543,11 +3547,13 @@ MyResponseType: defaultMapping: OtherPet OtherPet: type: object - not: - required: ['petType'] + properties: + petType: + not: + enum: ['Cat', 'Dog', 'Lizard'] ``` -In this example, if the `petType` property is not present in the payload, the payload should validate against the `OtherPet` schema. +In this example, if the `petType` property is not present in the payload, or if the value of `petType` is not "Cat", "Dog", or "Lizard", then the payload should validate against the `OtherPet` schema. This example shows the `allOf` usage, which avoids needing to reference all child schemas in the parent: From da3c386c922bc2266b89e1b192044e90f8fe1e67 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Thu, 27 Feb 2025 10:27:58 -0600 Subject: [PATCH 050/342] Apply suggestions from PR review Co-authored-by: Ralf Handl --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index b5b7f1d4ad..0a5f6f808e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3488,7 +3488,7 @@ MyResponseType: - $ref: '#/components/schemas/Lizard' ``` -which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The [Discriminator Object](#discriminator-object) cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: +which means a valid payload has to match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` can be used as a "hint" to improve the efficiency of selection of the matching schema. The [Discriminator Object](#discriminator-object) cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: ```yaml MyResponseType: @@ -3511,7 +3511,7 @@ The expectation now is that a property with name `petType` _MUST_ be present in will indicate that the `Cat` schema is expected to match this payload. -In scenarios where the value of the discriminating property does not match the schema name or implicit mapping is not possible, an optional `mapping` definition MAY be used: +In scenarios where the value of the discriminating property does not match the schema name or implicit mapping is not possible, an optional `mapping` definition can be used: ```yaml MyResponseType: @@ -3531,7 +3531,7 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. -When the discriminating property is defined as optional, the Discriminator Object MUST include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. +When the discriminating property is defined as optional, the Discriminator Object has to include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. For example: From 6da8d26d70b1addb39818dd82f8d7357104e7ae2 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 28 Feb 2025 21:02:01 +0100 Subject: [PATCH 051/342] New fixed fields in Security Scheme Object Fixes #3400 --- src/schemas/validation/schema.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 88148f6847..b20dbc1a35 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -749,6 +749,9 @@ $defs: - openIdConnect description: type: string + deprecated: + default: false + type: boolean required: - type allOf: @@ -822,6 +825,9 @@ $defs: properties: flows: $ref: '#/$defs/oauth-flows' + oauth2MetadataUrl: + type: string + format: uri-reference required: - flows @@ -861,6 +867,8 @@ $defs: $ref: '#/$defs/oauth-flows/$defs/client-credentials' authorizationCode: $ref: '#/$defs/oauth-flows/$defs/authorization-code' + deviceAuthorization: + $ref: '#/$defs/oauth-flows/$defs/device-authorization' $ref: '#/$defs/specification-extensions' unevaluatedProperties: false @@ -937,6 +945,27 @@ $defs: $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + device-authorization: + type: object + properties: + deviceAuthorizationUrl: + type: string + format: uri-reference + tokenUrl: + type: string + format: uri-reference + refreshUrl: + type: string + format: uri + scopes: + $ref: '#/$defs/map-of-strings' + required: + - authorizationUrl + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + security-requirement: $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object type: object From 2e745dc332620f473d434156800139ff8249c2a7 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 1 Mar 2025 17:14:27 +0100 Subject: [PATCH 052/342] refreshUrl is a uri-reference --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index b20dbc1a35..3a8d2cb186 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -956,7 +956,7 @@ $defs: format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: From d1a2f0a327f77bccb37644ff779147f4f9dfe6cf Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 17:51:25 +0100 Subject: [PATCH 053/342] Change schema test fixtures openapi field to 3.2.0 --- tests/schema/fail/invalid_schema_types.yaml | 2 +- tests/schema/fail/no_containers.yaml | 2 +- tests/schema/fail/server_enum_empty.yaml | 2 +- tests/schema/fail/servers.yaml | 2 +- tests/schema/fail/unknown_container.yaml | 2 +- tests/schema/pass/comp_pathitems.yaml | 2 +- tests/schema/pass/info_summary.yaml | 2 +- tests/schema/pass/license_identifier.yaml | 2 +- tests/schema/pass/mega.yaml | 2 +- tests/schema/pass/minimal_comp.yaml | 2 +- tests/schema/pass/minimal_hooks.yaml | 2 +- tests/schema/pass/minimal_paths.yaml | 2 +- tests/schema/pass/non-oauth-scopes.yaml | 2 +- tests/schema/pass/path_no_response.yaml | 2 +- tests/schema/pass/path_var_empty_pathitem.yaml | 2 +- tests/schema/pass/schema.yaml | 2 +- tests/schema/pass/servers.yaml | 2 +- tests/schema/pass/valid_schema_types.yaml | 2 +- tests/schema/pass/webhook-example.yaml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml index d295b1f0ed..ae51ad083e 100644 --- a/tests/schema/fail/invalid_schema_types.yaml +++ b/tests/schema/fail/invalid_schema_types.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.1 +openapi: 3.2.0 # this example shows invalid types for the schemaObject diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml index c158bcb2b6..3c38be021d 100644 --- a/tests/schema/fail/no_containers.yaml +++ b/tests/schema/fail/no_containers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml index cd6d30eb3e..db4b970ced 100644 --- a/tests/schema/fail/server_enum_empty.yaml +++ b/tests/schema/fail/server_enum_empty.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as the server variable enum is empty, and so does not contain the default value diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml index 1470fe1ec8..1b5e2d5fc8 100644 --- a/tests/schema/fail/servers.yaml +++ b/tests/schema/fail/servers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail, as servers must be an array, not an object diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml index 7f31e86053..c0a4b8bb7e 100644 --- a/tests/schema/fail/unknown_container.yaml +++ b/tests/schema/fail/unknown_container.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as overlays is not a valid top-level object/keyword diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml index 502ca1fca2..5178c1f56b 100644 --- a/tests/schema/pass/comp_pathitems.yaml +++ b/tests/schema/pass/comp_pathitems.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml index 30d224afc2..6697751d56 100644 --- a/tests/schema/pass/info_summary.yaml +++ b/tests/schema/pass/info_summary.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API summary: My lovely API diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml index fbdba5efbe..20d5e4368e 100644 --- a/tests/schema/pass/license_identifier.yaml +++ b/tests/schema/pass/license_identifier.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API summary: My lovely API diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 8838c03a6d..a0179b64bd 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: summary: My API's summary title: My API diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml index 4553689ab4..8f81f7e05e 100644 --- a/tests/schema/pass/minimal_comp.yaml +++ b/tests/schema/pass/minimal_comp.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml index e67b2889de..0e44257ad0 100644 --- a/tests/schema/pass/minimal_hooks.yaml +++ b/tests/schema/pass/minimal_hooks.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml index 016e86796f..c332bba18c 100644 --- a/tests/schema/pass/minimal_paths.yaml +++ b/tests/schema/pass/minimal_paths.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml index e757452f38..45506616b4 100644 --- a/tests/schema/pass/non-oauth-scopes.yaml +++ b/tests/schema/pass/non-oauth-scopes.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: Non-oAuth Scopes example version: 1.0.0 diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml index 334608f111..e4876799c9 100644 --- a/tests/schema/pass/path_no_response.yaml +++ b/tests/schema/pass/path_no_response.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml index ba92742f10..e79b7cd4fe 100644 --- a/tests/schema/pass/path_var_empty_pathitem.yaml +++ b/tests/schema/pass/path_var_empty_pathitem.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml index e192529a68..a6d72b9972 100644 --- a/tests/schema/pass/schema.yaml +++ b/tests/schema/pass/schema.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml index 77a20498da..8e7aa858ad 100644 --- a/tests/schema/pass/servers.yaml +++ b/tests/schema/pass/servers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml index 4431adcda5..43e7cdc782 100644 --- a/tests/schema/pass/valid_schema_types.yaml +++ b/tests/schema/pass/valid_schema_types.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.1 +openapi: 3.2.1 # this example shows that top-level schemaObjects MAY be booleans diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml index 2ac1cda985..c0b505ac63 100644 --- a/tests/schema/pass/webhook-example.yaml +++ b/tests/schema/pass/webhook-example.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: Webhook Example version: 1.0.0 From d83602db857c0b08d6b6e3141254df497d26f91b Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 7 Mar 2025 15:50:34 +0100 Subject: [PATCH 054/342] Fix typo --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9227fdfb0e..1373918439 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4005,7 +4005,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | -| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | +| deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4018,7 +4018,7 @@ Configuration details for a supported OAuth Flow | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | From ff43df41443915dbc1245bdc9786ac0b97b084c1 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 7 Mar 2025 15:53:38 +0100 Subject: [PATCH 055/342] Update oas.md --- src/oas.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 1373918439..549c888fad 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2728,7 +2728,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ```yaml tags: - - name: account-updates summary: Account Updates description: Account update operations From 311c1f714b8eda730281f66250def17f5bd194c5 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 7 Mar 2025 17:00:21 +0100 Subject: [PATCH 056/342] Fix misspelled anchor tags --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4f025228b4..19d26b27c0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4005,7 +4005,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | -| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | +| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4018,7 +4018,7 @@ Configuration details for a supported OAuth Flow | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | From 9755f94c90f13c7bf5d0901cf74171fa5b2e9f00 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 7 Mar 2025 17:07:36 +0100 Subject: [PATCH 057/342] Revert "Fix typo" This reverts commit d83602db857c0b08d6b6e3141254df497d26f91b. --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 549c888fad..05eba9807a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4004,7 +4004,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | -| deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | +| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4017,7 +4017,7 @@ Configuration details for a supported OAuth Flow | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | From 7ff212bc78295434c1ee8fb570c8925daf5f2c1f Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 18 Mar 2025 12:56:01 +0100 Subject: [PATCH 058/342] Schema coverage: 100% --- src/schemas/validation/schema.yaml | 2 +- .../schema/pass/callback-object-examples.yaml | 30 +++++ .../pass/components-object-example.yaml | 71 +++++++++++ .../schema/pass/example-object-examples.yaml | 63 ++++++++++ tests/schema/pass/header-object-examples.yaml | 25 ++++ tests/schema/pass/info-object-example.yaml | 19 +++ tests/schema/pass/link-object-examples.yaml | 62 ++++++++++ tests/schema/pass/media-type-examples.yaml | 97 +++++++++++++++ .../schema/pass/operation-object-example.yaml | 47 ++++++++ .../pass/parameter-object-examples.yaml | 54 +++++++++ .../schema/pass/path-item-object-example.yaml | 35 ++++++ .../pass/path_item_servers_parameters.yaml | 112 ++++++++++++++++++ tests/schema/pass/paths-object-example.yaml | 17 +++ tests/schema/pass/request-body-examples.yaml | 34 ++++++ .../schema/pass/response-object-examples.yaml | 42 +++++++ .../pass/security-scheme-object-examples.yaml | 59 +++++++++ tests/schema/pass/servers.yaml | 15 +++ tests/schema/pass/tag-object-example.yaml | 25 ++++ tests/schema/schema.test.mjs | 2 +- 19 files changed, 809 insertions(+), 2 deletions(-) create mode 100644 tests/schema/pass/callback-object-examples.yaml create mode 100644 tests/schema/pass/components-object-example.yaml create mode 100644 tests/schema/pass/example-object-examples.yaml create mode 100644 tests/schema/pass/header-object-examples.yaml create mode 100644 tests/schema/pass/info-object-example.yaml create mode 100644 tests/schema/pass/link-object-examples.yaml create mode 100644 tests/schema/pass/media-type-examples.yaml create mode 100644 tests/schema/pass/operation-object-example.yaml create mode 100644 tests/schema/pass/parameter-object-examples.yaml create mode 100644 tests/schema/pass/path-item-object-example.yaml create mode 100644 tests/schema/pass/path_item_servers_parameters.yaml create mode 100644 tests/schema/pass/paths-object-example.yaml create mode 100644 tests/schema/pass/request-body-examples.yaml create mode 100644 tests/schema/pass/response-object-examples.yaml create mode 100644 tests/schema/pass/security-scheme-object-examples.yaml create mode 100644 tests/schema/pass/tag-object-example.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 3f7e5065aa..e6de0a48c8 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -630,7 +630,7 @@ $defs: requestBody: true description: type: string - body: + server: $ref: '#/$defs/server' oneOf: - required: diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml new file mode 100644 index 0000000000..7a7f86f070 --- /dev/null +++ b/tests/schema/pass/callback-object-examples.yaml @@ -0,0 +1,30 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml new file mode 100644 index 0000000000..33a56e608f --- /dev/null +++ b/tests/schema/pass/components-object-example.yaml @@ -0,0 +1,71 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + GeneralError: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + parameters: + skipParam: + name: skip + in: query + description: number of items to skip + required: true + schema: + type: integer + format: int32 + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + format: int32 + responses: + NotFound: + description: Entity not found. + IllegalInput: + description: Illegal input for operation. + GeneralError: + description: General Error + content: + application/json: + schema: + $ref: '#/components/schemas/GeneralError' + securitySchemes: + api_key: + type: apiKey + name: api-key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml new file mode 100644 index 0000000000..61d6b347ee --- /dev/null +++ b/tests/schema/pass/example-object-examples.yaml @@ -0,0 +1,63 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + with-example: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + foo: + summary: A foo example + value: + foo: bar + bar: + summary: A bar example + value: + bar: baz + application/xml: + examples: + xmlExample: + summary: This is an example in XML + externalValue: https://example.org/examples/address-example.xml + text/plain: + examples: + textExample: + summary: This is a text example + externalValue: https://foo.bar/examples/address-example.txt + parameters: + with-example: + name: zipCode + in: query + schema: + type: string + format: zip-code + examples: + zip-example: + $ref: '#/components/examples/zip-example' + responses: + '200': + description: your car appointment has been booked + content: + application/json: + schema: + $ref: '#/components/schemas/SuccessResponse' + examples: + confirmation-success: + $ref: '#/components/examples/confirmation-success' + application/x-www-form-urlencoded: + schema: + type: object + properties: + jsonValue: + type: string + encoding: + jsonValue: + contentType: application/json + examples: + jsonFormValue: + description: 'The JSON string "json" as a form value' + value: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml new file mode 100644 index 0000000000..2a23a8ff82 --- /dev/null +++ b/tests/schema/pass/header-object-examples.yaml @@ -0,0 +1,25 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + deprecated: false + schema: + type: integer + ETag: + required: true + content: + text/plain: + schema: + type: string + pattern: ^" + Reference: + $ref: '#/components/schemas/ETag' + Style: + schema: + type: array + style: simple + explode: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml new file mode 100644 index 0000000000..2f1be1d6f5 --- /dev/null +++ b/tests/schema/pass/info-object-example.yaml @@ -0,0 +1,19 @@ +# including External Documentation Object Example +openapi: 3.2.0 +info: + title: Example Pet Store App + summary: A pet store manager. + description: This is an example server for a pet store. + termsOfService: https://example.com/terms/ + contact: + name: API Support + url: https://www.example.com/support + email: support@example.com + license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0.html + version: 1.0.1 +externalDocs: + description: Find more info here + url: https://example.com +components: {} diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml new file mode 100644 index 0000000000..12a1194bf5 --- /dev/null +++ b/tests/schema/pass/link-object-examples.yaml @@ -0,0 +1,62 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /users/{id}: + parameters: + - name: id + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + responses: + '200': + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + # the target link operationId + operationId: getUserAddress + parameters: + # get the `id` field from the request path parameter named `id` + userid: $request.path.id + address2: + operationId: getUserAddressByUUID + parameters: + # get the `uuid` field from the `uuid` field in the response body + userUuid: $response.body#/uuid + UserRepositories: + # returns array of '#/components/schemas/repository' + operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' + parameters: + username: $response.body#/username + UserRepositories2: + # returns array of '#/components/schemas/repository' + operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get + parameters: + username: $response.body#/username + # the path item of the linked operation + /users/{userid}/address: + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + # linked operation + get: + operationId: getUserAddress + responses: + '200': + description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml new file mode 100644 index 0000000000..dd71a42008 --- /dev/null +++ b/tests/schema/pass/media-type-examples.yaml @@ -0,0 +1,97 @@ +# including Encoding Object examples +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /something: + put: + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: + name: Fluffy + petType: Cat + color: White + gender: male + breed: Persian + dog: + summary: An example of a dog with a cat's name + value: + name: Puma + petType: Dog + color: Black + gender: Female + breed: Mixed + frog: + $ref: '#/components/examples/frog-example' + application/x-www-form-urlencoded: + schema: + type: object + properties: + id: + type: string + format: uuid + address: + # complex types are stringified to support RFC 1866 + type: object + properties: {} + icon: + # The default with "contentEncoding" is application/octet-stream, + # so we need to set image media type(s) in the Encoding Object. + type: string + contentEncoding: base64url + encoding: + icon: + contentType: image/png, image/jpeg + multipart/form-data: + schema: + type: object + properties: + id: + # default is `text/plain` + type: string + format: uuid + addresses: + # default based on the `items` subschema would be + # `application/json`, but we want these address objects + # serialized as `application/xml` instead + description: addresses in XML format + type: array + items: + $ref: '#/components/schemas/Address' + profileImage: + # default is application/octet-stream, but we can declare + # a more specific image type or types + type: string + format: binary + forCoverage: + type: string + forCoverage2: + type: string + encoding: + addresses: + # require XML Content-Type in utf-8 encoding + # This is applied to each address part corresponding + # to each address in he array + contentType: application/xml; charset=utf-8 + profileImage: + # only accept png or jpeg + contentType: image/png, image/jpeg + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + forCoverage: + style: form + explode: false + allowReserved: true + forCoverage2: + style: spaceDelimited + explode: true \ No newline at end of file diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml new file mode 100644 index 0000000000..1e5bac29f1 --- /dev/null +++ b/tests/schema/pass/operation-object-example.yaml @@ -0,0 +1,47 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + put: + tags: + - pet + summary: Updates a pet in the store with form data + operationId: updatePetWithForm + parameters: + - name: petId + in: path + description: ID of pet that needs to be updated + required: true + schema: + type: string + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + description: Updated name of the pet + type: string + status: + description: Updated status of the pet + type: string + required: + - status + responses: + '200': + description: Pet updated. + content: + application/json: {} + application/xml: {} + '405': + description: Method Not Allowed + content: + application/json: {} + application/xml: {} + security: + - petstore_auth: + - write:pets + - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml new file mode 100644 index 0000000000..ba8fbc4886 --- /dev/null +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -0,0 +1,54 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /user/{username}: + parameters: + - name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: username + in: path + description: username to fetch + required: true + schema: + type: string + - name: id + in: query + description: ID of the object to fetch + required: false + schema: + type: array + items: + type: string + style: form + explode: true + - in: query + name: freeForm + schema: + type: object + additionalProperties: + type: integer + style: form + - in: query + name: coordinates + content: + application/json: + schema: + type: object + required: + - lat + - long + properties: + lat: + type: number + long: + type: number \ No newline at end of file diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml new file mode 100644 index 0000000000..234325e21a --- /dev/null +++ b/tests/schema/pass/path-item-object-example.yaml @@ -0,0 +1,35 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml new file mode 100644 index 0000000000..7cedc5d16c --- /dev/null +++ b/tests/schema/pass/path_item_servers_parameters.yaml @@ -0,0 +1,112 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /things: + summary: Lots of things + servers: + - url: https://things.example.com + get: + summary: Get a list of things + externalDocs: + description: Find more info here + url: https://example.com + parameters: + - $ref: '#/components/parameters/biscuit' + summary: The maximum number of things to return + description: The maximum number of things to return + responses: + default: + description: A list of things + servers: + - url: https://things.example.com + post: + deprecated: false + requestBody: + $ref: '#/components/requestBodies/ThingRequestBody' + responses: + '201': + $ref: '#/components/responses/ThingResponse' + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + $ref: '#/components/callbacks/transactionCallback' + patch: {} + delete: {} + head: {} + options: {} + trace: {} +components: + callbacks: + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + examples: + ThingExample: + summary: A thing + description: A thing + value: + id: 1 + name: Thing + links: + ThingLink: + description: A link to a thing + operationId: getThing + parameters: + thingId: '$response.body#/id' + server: + url: https://things.example.com + ThingyLink: + $ref: '#/components/links/ThingLink' + parameters: + limit: + name: limit + in: query + required: false + allowEmptyValue: false + allowReserved: false + deprecated: true + description: The maximum number of list items to return + schema: + type: integer + minimum: 0 + biscuit: + name: biscuit + in: cookie + style: form + schema: + type: string + requestBodies: + ThingRequestBody: + content: + application/json: + schema: + type: object + responses: + ThingResponse: + description: A thing + content: + application/json: + schema: + type: object diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml new file mode 100644 index 0000000000..2ee08e581e --- /dev/null +++ b/tests/schema/pass/paths-object-example.yaml @@ -0,0 +1,17 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets: + get: + description: Returns all pets from the system that the user has access to + responses: + '200': + description: A list of pets. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml new file mode 100644 index 0000000000..4da1d41bd4 --- /dev/null +++ b/tests/schema/pass/request-body-examples.yaml @@ -0,0 +1,34 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /something: + put: + requestBody: + description: user to add to the system + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example + externalValue: https://foo.bar/examples/user-example.json + application/xml: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example in XML + externalValue: https://foo.bar/examples/user-example.xml + text/plain: + examples: + user: + summary: User example in plain text + externalValue: https://foo.bar/examples/user-example.txt + '*/*': + examples: + user: + summary: User example in other format + externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml new file mode 100644 index 0000000000..8c3edd7d0c --- /dev/null +++ b/tests/schema/pass/response-object-examples.yaml @@ -0,0 +1,42 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + responses: + complex-object-array: + description: A complex object array response + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/VeryComplexType' + simple-string: + description: A simple string response + content: + text/plain: + schema: + type: string + plain-text-with-headers: + description: A simple string response + content: + text/plain: + schema: + type: string + example: 'whoa!' + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + X-Rate-Limit-Remaining: + description: The number of remaining requests in the current period + schema: + type: integer + X-Rate-Limit-Reset: + description: The number of seconds left in the current period + schema: + type: integer + no-return-value: + description: object created \ No newline at end of file diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml new file mode 100644 index 0000000000..8db1abe25a --- /dev/null +++ b/tests/schema/pass/security-scheme-object-examples.yaml @@ -0,0 +1,59 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +security: + - basic: [] + - apiKey: [] + - JWT-bearer: [] + - mutualTLS: [] + - OAuth2: + - write:pets + - read:pets +components: + securitySchemes: + basic: + type: http + scheme: basic + apiKey: + type: apiKey + name: api-key + in: header + JWT-bearer: + type: http + scheme: bearer + bearerFormat: JWT + mutualTLS: + type: mutualTLS + description: Cert must be signed by example.com CA + OAuth2: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + refreshUrl: https://example.com/api/oauth/refresh + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + password: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + clientCredentials: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + OpenIdConnect: + type: openIdConnect + openIdConnectUrl: https://example.com/api/oauth/openid + external: + $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml index 8e7aa858ad..2d3b84ef8e 100644 --- a/tests/schema/pass/servers.yaml +++ b/tests/schema/pass/servers.yaml @@ -8,3 +8,18 @@ servers: description: Run locally. - url: https://production.com/v1 description: Run on production server. + - url: https://{username}.gigantic-server.com:{port}/{basePath} + description: The production API server + variables: + username: + # note! no enum here means it is an open value + default: demo + description: A user-specific subdomain. Use `demo` for a free sandbox environment. + port: + enum: + - '8443' + - '443' + default: '8443' + basePath: + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + default: v2 \ No newline at end of file diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml new file mode 100644 index 0000000000..6e740c8df0 --- /dev/null +++ b/tests/schema/pass/tag-object-example.yaml @@ -0,0 +1,25 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: {} +tags: + + - name: account-updates + summary: Account Updates + description: Account update operations + kind: nav + + - name: partner + summary: Partner + description: Operations available to the partners network + parent: external + kind: audience + + - name: external + summary: External + description: Operations available to external consumers + kind: audience + externalDocs: + description: Find more info here + url: https://example.com diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index 17d1f9ce46..362ccc856c 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -37,7 +37,7 @@ describe("v3.1", () => { test(entry.name, () => { const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); const output = validateOpenApi(instance, BASIC); - expect(output.valid).to.equal(true); + expect(output).to.deep.equal({ valid: true }); }); }); }); From 50f65f5049a8f3cd2d2c28a00ad948d86efc04f5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 23 Feb 2025 16:29:52 -0800 Subject: [PATCH 059/342] Allow URIs for Security Schemes This allows Security Requirement Objects to reference Security Scheme Objects by URI instead of implicit component name. Without this ability, it is difficult to share Security Schemes in a way that is consistent with re-usable component documents. This approach provides parity with how the Discriminator Object's mapping field works. Also add a note about the complexity of these rules to the Security Considerations section. --- src/oas.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 19d26b27c0..a14bbf0d24 100644 --- a/src/oas.md +++ b/src/oas.md @@ -214,8 +214,8 @@ This allows Security Scheme Objects and Tag Objects to be defined next to the AP The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. -There are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. -These limitations are expected to be addressed in a future release. +There are no URI-based alternatives for the Operation Object's `tags` field. +This limitation is expected to be addressed in a future release. See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. @@ -4069,7 +4069,12 @@ flows: #### Security Requirement Object Lists the required security schemes to execute this operation. -The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). + +The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object), or be the URI of a Security Scheme Object. +Property names that match the syntax of a component name under the Components Object MUST be treated as a component name. +To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`) that collides with a component name (e.g. `#/components/securitySchemes/foo`), use the `.` path segment (e.g. `./foo`). + +Using a Security Scheme component name that appears to be a URI is NOT RECOMMENDED, as the precedence of component-name-matching over URI resolution, which is necessary to maintain compatibility with prior OAS versions, is counter-intuitive. See also [Security Considerations](#security-considerations). A Security Requirement Object MAY refer to multiple security schemes in which case all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information. @@ -4082,8 +4087,8 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor ##### Patterned Fields | Field Pattern | Type | Description | -| ---- | :----: | ---- | -| {name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | +| --- | :---: | --- | +| {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | ##### Security Requirement Object Examples @@ -4103,6 +4108,8 @@ api_key: [] ###### OAuth2 Security Requirement +This example uses a component name for the Security Scheme. + ```json { "petstore_auth": ["write:pets", "read:pets"] @@ -4117,6 +4124,8 @@ petstore_auth: ###### Optional OAuth2 Security +This example uses a relative URI reference for the Security Scheme. + Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object: ```json @@ -4124,7 +4133,7 @@ Optional OAuth2 security as would be defined in an Ope "security": [ {}, { - "petstore_auth": ["write:pets", "read:pets"] + "#/components/securitySchemes/petstore_auth": ["write:pets", "read:pets"] } ] } @@ -4186,6 +4195,11 @@ In addition, OpenAPI Descriptions are processed by a wide variety of tooling for An OpenAPI Description describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. +The rules for connecting a [Security Requirement Object](#security-requirement-object) to a [Security Scheme Object](#security-scheme-object) under a [Components Object](#components-object) are ambiguous in a way that could be exploited. Specifically: + +* It is implementation-defined whether a component name used by a Security Requirement Object in a referenced document is resolved from the entry document (RECOMMENDED) or the referenced document. +* A Security Requirement Object that uses a URI to identify a Security Scheme Object can have the URI resolution hijacked by providing a Security Scheme component name identical to the URI, as the name lookup behavior takes precedence over URI resolution for compatibility with previous versions of the OAS. + ### Handling External Resources OpenAPI Descriptions may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. From 33aef075bb0ded0820720eb27736082fbf9d45fd Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 13 Mar 2025 09:46:00 -0700 Subject: [PATCH 060/342] Review feedback --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index a14bbf0d24..10c892ff2d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4071,7 +4071,7 @@ flows: Lists the required security schemes to execute this operation. The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object), or be the URI of a Security Scheme Object. -Property names that match the syntax of a component name under the Components Object MUST be treated as a component name. +Property names that are identical to a component name under the Components Object MUST be treated as a component name. To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`) that collides with a component name (e.g. `#/components/securitySchemes/foo`), use the `.` path segment (e.g. `./foo`). Using a Security Scheme component name that appears to be a URI is NOT RECOMMENDED, as the precedence of component-name-matching over URI resolution, which is necessary to maintain compatibility with prior OAS versions, is counter-intuitive. See also [Security Considerations](#security-considerations). @@ -4088,7 +4088,7 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor | Field Pattern | Type | Description | | --- | :---: | --- | -| {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | +| {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | ##### Security Requirement Object Examples From 5599cd3e13c97fdc0d282c7068f31c1d559d1c95 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 19 Mar 2025 12:30:42 +0100 Subject: [PATCH 061/342] Update JSON Schema references to latest 2020-12 draft --- src/oas.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/oas.md b/src/oas.md index 19d26b27c0..41db6dbecc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -151,7 +151,7 @@ It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or #### Parsing Documents -In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). +In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. @@ -224,22 +224,22 @@ Note that no aspect of implicit connection resolution changes how [URIs are reso ### Data Types -Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-6.1.1): +Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-6.1.1): "null", "boolean", "object", "array", "number", "string", or "integer". Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. -Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC7159|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.2), and are both considered to be integers. +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC7159|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.2), and are both considered to be integers. #### Data Type Format -As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. +As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. -For the purpose of [JSON Schema validation](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. +For the purpose of [JSON Schema validation](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. The formats defined by the OAS are: @@ -264,9 +264,9 @@ In the following table showing how to use Schema Object keywords for binary data | Keyword | Raw | Encoded | Comments | | ---- | ---- | ---- | ---- | -| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.3) | +| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.3) | | `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | -| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.3) | +| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-8.3) | Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. @@ -301,14 +301,14 @@ OpenAPI Description authors SHOULD consider how text using such extensions will ### Relative References in API Description URIs URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9) and associating them with their expected URIs, which might not match their current location. +As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-9) and associating them with their expected URIs, which might not match their current location. This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.2). +Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-8.2). Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. @@ -2805,16 +2805,16 @@ $ref: definitions.yaml#/Pet #### Schema Object The Schema Object allows the definition of input and output data types. -These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. +These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-01). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. -For more information about the keywords, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00). +For more information about the keywords, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-01) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01). Unless stated otherwise, the keyword definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. ##### JSON Schema Keywords -The OpenAPI Schema Object [dialect](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8). +The OpenAPI Schema Object [dialect](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-8). The OpenAPI Schema Object dialect for this version of the specification is identified by the URI `https://spec.openapis.org/oas/3.1/dialect/base` (the "OAS dialect schema id"). @@ -2825,7 +2825,7 @@ The following keywords are taken from the JSON Schema specification but their de In addition to the JSON Schema keywords comprising the OAS dialect, the Schema Object supports keywords from any other vocabularies, or entirely arbitrary properties. -JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-8.1.2) value of `false`. +JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-8.1.2) value of `false`. The OAS base vocabulary is comprised of the following keywords: ##### Fixed Fields @@ -2841,20 +2841,20 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Extended Validation with Annotations -JSON Schema Draft 2020-12 supports [collecting annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-7.7.1), including [treating unrecognized keywords as annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-6.5). +JSON Schema Draft 2020-12 supports [collecting annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-7.7.1), including [treating unrecognized keywords as annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-6.5). OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. ###### Non-validating constraint keywords -The [`format` keyword (when using default format-annotation vocabulary)](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. +The [`format` keyword (when using default format-annotation vocabulary)](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. Extended validation is one way that these constraints MAY be enforced. ###### Validating `readOnly` and `writeOnly` The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. -[JSON Schema Validation Draft 2020-12 §9.4](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. +[JSON Schema Validation Draft 2020-12 §9.4](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. @@ -2902,7 +2902,7 @@ The [XML Object](#xml-object) contains additional information about the availabl It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. -The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. +The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. @@ -4175,8 +4175,8 @@ OpenAPI Descriptions use a combination of JSON, YAML, and JSON Schema, and there * [JSON](https://www.iana.org/assignments/media-types/application/json) * [YAML](https://www.iana.org/assignments/media-types/application/yaml) -* [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-13) -* [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-10) +* [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-13) +* [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01#section-10) ### Tooling and Usage Scenarios @@ -4225,7 +4225,7 @@ Certain fields allow the use of Markdown which can contain HTML including script Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. -[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. +[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. Notably, integers are not a distinct type from other numbers, with `type: "integer"` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. The [Parameter Object](#parameter-object), [Header Object](#header-object), and [Encoding Object](#encoding-object) offer features to control how to arrange values from array or object types. From 9e1ff6b04b4c5e206965662067153895d09670d7 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 19 Mar 2025 10:57:06 -0400 Subject: [PATCH 062/342] feat: adds a name field to the server object Signed-off-by: Vincent Biret --- src/oas.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 19d26b27c0..1737af40b9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -477,6 +477,7 @@ An object representing a Server. | ---- | :----: | ---- | | url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| name | `string` | An optional unique string to refer to the host designated by the URL. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -488,13 +489,15 @@ A single server would be described as: ```json { "url": "https://development.gigantic-server.com/v1", - "description": "Development server" + "description": "Development server", + "name": "dev" } ``` ```yaml url: https://development.gigantic-server.com/v1 description: Development server +name: dev ``` The following shows how multiple servers can be described, for example, at the OpenAPI Object's [`servers`](#oas-servers): @@ -504,15 +507,18 @@ The following shows how multiple servers can be described, for example, at the O "servers": [ { "url": "https://development.gigantic-server.com/v1", - "description": "Development server" + "description": "Development server", + "name": "dev" }, { "url": "https://staging.gigantic-server.com/v1", - "description": "Staging server" + "description": "Staging server", + "name": "staging" }, { "url": "https://api.gigantic-server.com/v1", - "description": "Production server" + "description": "Production server", + "name": "prod" } ] } @@ -522,10 +528,13 @@ The following shows how multiple servers can be described, for example, at the O servers: - url: https://development.gigantic-server.com/v1 description: Development server + name: dev - url: https://staging.gigantic-server.com/v1 description: Staging server + name: staging - url: https://api.gigantic-server.com/v1 description: Production server + name: prod ``` The following shows how variables can be used for a server configuration: @@ -536,6 +545,7 @@ The following shows how variables can be used for a server configuration: { "url": "https://{username}.gigantic-server.com:{port}/{basePath}", "description": "The production API server", + "name": "prod", "variables": { "username": { "default": "demo", @@ -558,6 +568,7 @@ The following shows how variables can be used for a server configuration: servers: - url: https://{username}.gigantic-server.com:{port}/{basePath} description: The production API server + name: prod variables: username: # note! no enum here means it is an open value From f1426811b08802842b0e48fe5ac96439ebec1c36 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 19 Mar 2025 11:03:45 -0400 Subject: [PATCH 063/342] chore: updates schema for server name field Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 3a8d2cb186..339417aed6 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -121,6 +121,8 @@ $defs: type: string description: type: string + name: + type: [string, null] variables: type: object additionalProperties: From 49f43d405a8463fd213a687473ad191ec49e00bf Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 19 Mar 2025 12:16:46 -0400 Subject: [PATCH 064/342] Update src/schemas/validation/schema.yaml Co-authored-by: Ralf Handl --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 339417aed6..3150952aa1 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -122,7 +122,7 @@ $defs: description: type: string name: - type: [string, null] + type: string variables: type: object additionalProperties: From 5ed147c9dcd95bcdd917d189f49ba050b3b7d886 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Wed, 19 Mar 2025 12:17:24 -0400 Subject: [PATCH 065/342] ci: adds a test value Signed-off-by: Vincent Biret --- tests/schema/pass/servers.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml index 77a20498da..02e067a629 100644 --- a/tests/schema/pass/servers.yaml +++ b/tests/schema/pass/servers.yaml @@ -6,5 +6,6 @@ paths: {} servers: - url: /v1 description: Run locally. + name: local - url: https://production.com/v1 description: Run on production server. From 2b0b34242d602ddd83a2f0e0458506a735d68f53 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 26 Mar 2025 14:43:23 +0100 Subject: [PATCH 066/342] Fixes #4487 --- src/oas.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 400813a449..b4bb05b8ae 100644 --- a/src/oas.md +++ b/src/oas.md @@ -117,7 +117,7 @@ Occasionally, non-backwards compatible changes may be made in `minor` versions o ### Format -An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. +An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. For example, if a field has an array value, the JSON array representation will be used: @@ -230,7 +230,7 @@ Models are defined using the [Schema Object](#schema-object), which is a superse JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. -Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC7159|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.2), and are both considered to be integers. +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.2), and are both considered to be integers. #### Data Type Format @@ -2556,13 +2556,13 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org ; %x2F ('/') and %x7E ('~') are excluded from 'unescaped' escaped = "~" ( "0" / "1" ) ; representing '~' and '/', respectively - name = *( CHAR ) + name = *char token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ``` -Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `CHAR` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC8259](https://tools.ietf.org/html/rfc8259#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). The `name` identifier is case-sensitive, whereas `token` is not. @@ -4335,7 +4335,7 @@ Certain fields allow the use of Markdown which can contain HTML including script Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. -[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. +[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc8259#section-8.1)), numbers, booleans, and `null`. Notably, integers are not a distinct type from other numbers, with `type: "integer"` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. The [Parameter Object](#parameter-object), [Header Object](#header-object), and [Encoding Object](#encoding-object) offer features to control how to arrange values from array or object types. From b7a2d9ff22020920086495400997f9b5b1b93b02 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 26 Mar 2025 14:58:02 +0100 Subject: [PATCH 067/342] fixes #3538 --- src/oas.md | 2 +- src/schemas/validation/schema.yaml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 400813a449..4be888a19f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2008,7 +2008,7 @@ Describes a single response from an API operation, including design-time, static | Field Name | Type | Description | | ---- | :----: | ---- | -| description | `string` | **REQUIRED**. A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| description | `string` | A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | | content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 947a4b004b..2ea743dd49 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -555,8 +555,6 @@ $defs: type: object additionalProperties: $ref: '#/$defs/link-or-reference' - required: - - description $ref: '#/$defs/specification-extensions' unevaluatedProperties: false From 5929a5449488c1479550013e485455d76e12e153 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 26 Mar 2025 15:24:25 +0100 Subject: [PATCH 068/342] Schema test case for device authorization --- src/schemas/validation/schema.yaml | 2 +- .../pass/security-scheme-object-examples.yaml | 22 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 947a4b004b..31a190023c 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -960,7 +960,7 @@ $defs: scopes: $ref: '#/$defs/map-of-strings' required: - - authorizationUrl + - deviceAuthorizationUrl - tokenUrl - scopes $ref: '#/$defs/specification-extensions' diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml index 8db1abe25a..d3472d5a32 100644 --- a/tests/schema/pass/security-scheme-object-examples.yaml +++ b/tests/schema/pass/security-scheme-object-examples.yaml @@ -28,13 +28,8 @@ components: description: Cert must be signed by example.com CA OAuth2: type: oauth2 + oauth2MetadataUrl: https://example.com/api/oauth/metadata flows: - implicit: - authorizationUrl: https://example.com/api/oauth/dialog - scopes: - write:pets: modify pets in your account - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh authorizationCode: authorizationUrl: https://example.com/api/oauth/dialog refreshUrl: https://example.com/api/oauth/refresh @@ -52,6 +47,21 @@ components: scopes: read:pets: read your pets refreshUrl: https://example.com/api/oauth/refresh + deviceAuthorization: + deviceAuthorizationUrl: https://example.com/api/oauth/device + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + OAuth2Old: + deprecated: true + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh OpenIdConnect: type: openIdConnect openIdConnectUrl: https://example.com/api/oauth/openid From 3a763a4b3648c672dc51884060a6d1915b258ba3 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 27 Mar 2025 08:42:18 -0700 Subject: [PATCH 069/342] Remove promise of URIs for tags, not alternatives --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 400813a449..59db290e99 100644 --- a/src/oas.md +++ b/src/oas.md @@ -215,7 +215,7 @@ This allows Security Scheme Objects and Tag Objects to be defined next to the AP The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. There are no URI-based alternatives for the Operation Object's `tags` field. -This limitation is expected to be addressed in a future release. +OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. From 701d460b15c99a26f3646f4a0323fd40e0c73bb4 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 08:54:34 -0400 Subject: [PATCH 070/342] feat: adds additional operations for path item object Signed-off-by: Vincent Biret --- src/oas.md | 55 +++++++++++++++++++++++++++++- src/schemas/validation/schema.yaml | 22 ++++++++++++ 2 files changed, 76 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 5d56bed793..6afe86b2a0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -924,6 +924,7 @@ The path itself is still exposed to the documentation viewer but they will not k | $ref | `string` | Allows for a referenced definition of this path item. The value MUST be in the form of a URI, and the referenced structure MUST be in the form of a [Path Item Object](#path-item-object). In case a Path Item Object field appears both in the defined object and the referenced object, the behavior is undefined. See the rules for resolving [Relative References](#relative-references-in-api-description-uris).

_**Note:** The behavior of `$ref` with adjacent properties is likely to change in future versions of this specification to bring it into closer alignment with the behavior of the [Reference Object](#reference-object)._ | | summary | `string` | An optional string summary, intended to apply to all operations in this path. | | description | `string` | An optional string description, intended to apply to all operations in this path. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry matching (case-insensitive) any operation that can be defined on the parent path item object. | | get | [Operation Object](#operation-object) | A definition of a GET operation on this path. | | put | [Operation Object](#operation-object) | A definition of a PUT operation on this path. | | post | [Operation Object](#operation-object) | A definition of a POST operation on this path. | @@ -985,7 +986,39 @@ This object MAY be extended with [Specification Extensions](#specification-exten }, "style": "simple" } - ] + ], + "additionalOperations": { + "query": { + "description": "Returns pets based on ID", + "summary": "Find pets by ID", + "operationId": "queryPetsById", + "responses": { + "200": { + "description": "pet response", + "content": { + "*/*": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/Pet" + } + } + } + } + }, + "default": { + "description": "error payload", + "content": { + "text/html": { + "schema": { + "$ref": "#/components/schemas/ErrorModel" + } + } + } + } + } + } + } } ``` @@ -1019,6 +1052,26 @@ parameters: items: type: string style: simple +additionalOperations: + query: + description: Returns pets based on ID + summary: Find pets by ID + operationId: queryPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' ``` #### Operation Object diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 8d14aec869..666e9314d6 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -230,6 +230,28 @@ $defs: type: array items: $ref: '#/$defs/parameter-or-reference' + additionalOperations: + type: object + additionalProperties: + $ref: '#/$defs/operation' + not: + required: + - get: + $ref: '#/$defs/operation' + - put: + $ref: '#/$defs/operation' + - post: + $ref: '#/$defs/operation' + - delete: + $ref: '#/$defs/operation' + - options: + $ref: '#/$defs/operation' + - head: + $ref: '#/$defs/operation' + - patch: + $ref: '#/$defs/operation' + - trace: + $ref: '#/$defs/operation' get: $ref: '#/$defs/operation' put: From 524cc6f44cbdb1829ed0766800720537b462a1f8 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 08:58:31 -0400 Subject: [PATCH 071/342] chore: adds test data for additional operations Signed-off-by: Vincent Biret --- .../schema/pass/path-item-object-example.yaml | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml index 234325e21a..bede844d36 100644 --- a/tests/schema/pass/path-item-object-example.yaml +++ b/tests/schema/pass/path-item-object-example.yaml @@ -32,4 +32,24 @@ paths: type: array items: type: string - style: simple \ No newline at end of file + style: simple + additionalOperations: + query: + description: Returns pets based on ID + summary: Find pets by ID + operationId: queryPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' \ No newline at end of file From b12f34b9560e3cdddf1932f84366b773e356d676 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 09:03:13 -0400 Subject: [PATCH 072/342] fix: schema definition for outlawed properties Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 42 ++++++++++++++++++------------ 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 666e9314d6..9e30443426 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -235,23 +235,31 @@ $defs: additionalProperties: $ref: '#/$defs/operation' not: - required: - - get: - $ref: '#/$defs/operation' - - put: - $ref: '#/$defs/operation' - - post: - $ref: '#/$defs/operation' - - delete: - $ref: '#/$defs/operation' - - options: - $ref: '#/$defs/operation' - - head: - $ref: '#/$defs/operation' - - patch: - $ref: '#/$defs/operation' - - trace: - $ref: '#/$defs/operation' + anyOf: + - properties: + - get: + $ref: '#/$defs/operation' + - properties: + - put: + $ref: '#/$defs/operation' + - properties: + - post: + $ref: '#/$defs/operation' + - properties: + - delete: + $ref: '#/$defs/operation' + - properties: + - options: + $ref: '#/$defs/operation' + - properties: + - head: + $ref: '#/$defs/operation' + - properties: + - patch: + $ref: '#/$defs/operation' + - properties: + - trace: + $ref: '#/$defs/operation' get: $ref: '#/$defs/operation' put: From 692b41315b553d268e5323f3ecd1e92fabe050c7 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 09:05:23 -0400 Subject: [PATCH 073/342] fix: schema indentation and adds required keyword Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 32 ++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 9e30443426..17351fd7de 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -238,28 +238,44 @@ $defs: anyOf: - properties: - get: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - get - properties: - put: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - put - properties: - post: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - post - properties: - delete: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - delete - properties: - options: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - options - properties: - head: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - head - properties: - patch: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - patch - properties: - trace: - $ref: '#/$defs/operation' + $ref: '#/$defs/operation' + required: + - trace get: $ref: '#/$defs/operation' put: From 62dbf31569f224c917723d4e037fb4f6b525085e Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 09:14:13 -0400 Subject: [PATCH 074/342] =?UTF-8?q?fix:=20=F0=9F=A4=A6=20vincent=20needs?= =?UTF-8?q?=20a=20coffee?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 17351fd7de..ed43a01f47 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -237,42 +237,42 @@ $defs: not: anyOf: - properties: - - get: + get: $ref: '#/$defs/operation' required: - get - properties: - - put: + put: $ref: '#/$defs/operation' required: - put - properties: - - post: + post: $ref: '#/$defs/operation' required: - post - properties: - - delete: + delete: $ref: '#/$defs/operation' required: - delete - properties: - - options: + options: $ref: '#/$defs/operation' required: - options - properties: - - head: + head: $ref: '#/$defs/operation' required: - head - properties: - - patch: + patch: $ref: '#/$defs/operation' required: - patch - properties: - - trace: + trace: $ref: '#/$defs/operation' required: - trace From 15e99caedf193dd1a0a91590a7c54cf655bc0ec9 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 10:21:01 -0400 Subject: [PATCH 075/342] Apply suggestions from code review Co-authored-by: Ralf Handl --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 6afe86b2a0..e5291fbf9b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -988,7 +988,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten } ], "additionalOperations": { - "query": { + "QUERY": { "description": "Returns pets based on ID", "summary": "Find pets by ID", "operationId": "queryPetsById", @@ -1053,7 +1053,7 @@ parameters: type: string style: simple additionalOperations: - query: + QUERY: description: Returns pets based on ID summary: Find pets by ID operationId: queryPetsById From 72a29d74c2d33f279e2a0661ef1b747a923d32e2 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 10:21:17 -0400 Subject: [PATCH 076/342] Update tests/schema/pass/path-item-object-example.yaml Co-authored-by: Ralf Handl --- tests/schema/pass/path-item-object-example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml index bede844d36..46f7826c16 100644 --- a/tests/schema/pass/path-item-object-example.yaml +++ b/tests/schema/pass/path-item-object-example.yaml @@ -34,7 +34,7 @@ paths: type: string style: simple additionalOperations: - query: + QUERY: description: Returns pets based on ID summary: Find pets by ID operationId: queryPetsById From 2452ad17b03932560309bb53b4625e8a89163ddc Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 10:22:25 -0400 Subject: [PATCH 077/342] chore: moves additional operations after the defined operations Signed-off-by: Vincent Biret --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e5291fbf9b..8d91bbb1ec 100644 --- a/src/oas.md +++ b/src/oas.md @@ -924,7 +924,6 @@ The path itself is still exposed to the documentation viewer but they will not k | $ref | `string` | Allows for a referenced definition of this path item. The value MUST be in the form of a URI, and the referenced structure MUST be in the form of a [Path Item Object](#path-item-object). In case a Path Item Object field appears both in the defined object and the referenced object, the behavior is undefined. See the rules for resolving [Relative References](#relative-references-in-api-description-uris).

_**Note:** The behavior of `$ref` with adjacent properties is likely to change in future versions of this specification to bring it into closer alignment with the behavior of the [Reference Object](#reference-object)._ | | summary | `string` | An optional string summary, intended to apply to all operations in this path. | | description | `string` | An optional string description, intended to apply to all operations in this path. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry matching (case-insensitive) any operation that can be defined on the parent path item object. | | get | [Operation Object](#operation-object) | A definition of a GET operation on this path. | | put | [Operation Object](#operation-object) | A definition of a PUT operation on this path. | | post | [Operation Object](#operation-object) | A definition of a POST operation on this path. | @@ -933,6 +932,7 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry matching (case-insensitive) any operation that can be defined on the parent path item object. | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | From 4cf516815a3f92be7e8154954a3a83ce32331241 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 10:24:40 -0400 Subject: [PATCH 078/342] ci: adds a failing test for methods that should be defined on the parent object Signed-off-by: Vincent Biret --- .../schema/fail/path-item-object-example.yaml | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 tests/schema/fail/path-item-object-example.yaml diff --git a/tests/schema/fail/path-item-object-example.yaml b/tests/schema/fail/path-item-object-example.yaml new file mode 100644 index 0000000000..a00db6c5f6 --- /dev/null +++ b/tests/schema/fail/path-item-object-example.yaml @@ -0,0 +1,64 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple + additionalOperations: + POST: + description: Returns pets based on ID + summary: Find pets by ID + operationId: postPetsById + request-body: + description: ID of pet to use + required: true + content: + application/json: + schema: + type: array + items: + type: string + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' \ No newline at end of file From cfdc4bc6a5a2235dd8d7c7b3662e16870a881d75 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Fri, 28 Mar 2025 12:00:43 -0400 Subject: [PATCH 079/342] Update tests/schema/fail/path-item-object-example.yaml Co-authored-by: Ralf Handl --- tests/schema/fail/path-item-object-example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/schema/fail/path-item-object-example.yaml b/tests/schema/fail/path-item-object-example.yaml index a00db6c5f6..f068406b68 100644 --- a/tests/schema/fail/path-item-object-example.yaml +++ b/tests/schema/fail/path-item-object-example.yaml @@ -38,7 +38,7 @@ paths: description: Returns pets based on ID summary: Find pets by ID operationId: postPetsById - request-body: + requestBody: description: ID of pet to use required: true content: From 9c0c7cb7864d681158c522fd42d27644923ab227 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 26 Mar 2025 14:40:39 -0700 Subject: [PATCH 080/342] Use human-friendly rendering of JSON Schema I-D This harmonizes all JSON Schema spec links to use the most readable HTML renderings, which are in the same style (although a different URL structure) as the renderings used for the recently-added links to RFC9110. --- src/oas.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/oas.md b/src/oas.md index 5d56bed793..91377aabfd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -151,7 +151,7 @@ It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or #### Parsing Documents -In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). +In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. @@ -224,22 +224,22 @@ Note that no aspect of implicit connection resolution changes how [URIs are reso ### Data Types -Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-6.1.1): +Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): "null", "boolean", "object", "array", "number", "string", or "integer". Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. -Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.2), and are both considered to be integers. +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. #### Data Type Format -As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. +As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. -For the purpose of [JSON Schema validation](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. +For the purpose of [JSON Schema validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. The formats defined by the OAS are: @@ -264,9 +264,9 @@ In the following table showing how to use Schema Object keywords for binary data | Keyword | Raw | Encoded | Comments | | ---- | ---- | ---- | ---- | -| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.3) | +| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.3) | | `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | -| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-8.3) | +| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.3) | Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. @@ -301,14 +301,14 @@ OpenAPI Description authors SHOULD consider how text using such extensions will ### Relative References in API Description URIs URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-9) and associating them with their expected URIs, which might not match their current location. +As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-8.2). +Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2). Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. @@ -2815,16 +2815,16 @@ $ref: definitions.yaml#/Pet #### Schema Object The Schema Object allows the definition of input and output data types. -These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-01). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. +These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. -For more information about the keywords, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-01) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01). +For more information about the keywords, see [JSON Schema Core](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html) and [JSON Schema Validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html). Unless stated otherwise, the keyword definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. ##### JSON Schema Keywords -The OpenAPI Schema Object [dialect](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-8). +The OpenAPI Schema Object [dialect](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8). The OpenAPI Schema Object dialect for this version of the specification is identified by the URI `https://spec.openapis.org/oas/3.1/dialect/base` (the "OAS dialect schema id"). @@ -2835,7 +2835,7 @@ The following keywords are taken from the JSON Schema specification but their de In addition to the JSON Schema keywords comprising the OAS dialect, the Schema Object supports keywords from any other vocabularies, or entirely arbitrary properties. -JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-8.1.2) value of `false`. +JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.1.2) value of `false`. The OAS base vocabulary is comprised of the following keywords: ##### Fixed Fields @@ -2851,20 +2851,20 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Extended Validation with Annotations -JSON Schema Draft 2020-12 supports [collecting annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-7.7.1), including [treating unrecognized keywords as annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-6.5). +JSON Schema Draft 2020-12 supports [collecting annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-7.7.1), including [treating unrecognized keywords as annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-6.5). OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. ###### Non-validating constraint keywords -The [`format` keyword (when using default format-annotation vocabulary)](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. +The [`format` keyword (when using default format-annotation vocabulary)](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. Extended validation is one way that these constraints MAY be enforced. ###### Validating `readOnly` and `writeOnly` The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. -[JSON Schema Validation Draft 2020-12 §9.4](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-01#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. +[JSON Schema Validation Draft 2020-12 §9.4](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. @@ -2918,7 +2918,7 @@ The [XML Object](#xml-object) contains additional information about the availabl It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. -The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. +The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. @@ -4291,8 +4291,8 @@ OpenAPI Descriptions use a combination of JSON, YAML, and JSON Schema, and there * [JSON](https://www.iana.org/assignments/media-types/application/json) * [YAML](https://www.iana.org/assignments/media-types/application/yaml) -* [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-01#section-13) -* [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-01#section-10) +* [JSON Schema Core](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-13) +* [JSON Schema Validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-10) ### Tooling and Usage Scenarios @@ -4346,7 +4346,7 @@ Certain fields allow the use of Markdown which can contain HTML including script Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. -[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-01#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc8259#section-8.1)), numbers, booleans, and `null`. +[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. Notably, integers are not a distinct type from other numbers, with `type: "integer"` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. The [Parameter Object](#parameter-object), [Header Object](#header-object), and [Encoding Object](#encoding-object) offer features to control how to arrange values from array or object types. From 03e47f52d70a3f11b38d0a95b880e9cc4065a56a Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 29 Mar 2025 07:21:44 -0700 Subject: [PATCH 081/342] Spell out "section" Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 91377aabfd..510894911b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2864,7 +2864,7 @@ Extended validation is one way that these constraints MAY be enforced. The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. -[JSON Schema Validation Draft 2020-12 §9.4](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. +[JSON Schema Validation Draft 2020-12 Section 9.4](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. From 2aee7ee53c12f685c31b883288148c30c651e721 Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Sun, 30 Mar 2025 20:55:51 +0100 Subject: [PATCH 082/342] Fix a duplicated anchor link that makes other links incorrect --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 5d56bed793..c16b8ad549 100644 --- a/src/oas.md +++ b/src/oas.md @@ -640,7 +640,7 @@ All objects defined within the Components Object will have no effect on the API | examples | Map[`string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Example Objects](#example-object). | | requestBodies | Map[`string`, [Request Body Object](#request-body-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Request Body Objects](#request-body-object). | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Header Objects](#header-object). | -| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | +| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | | pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | From d5141ec04cb653cf932c02f0cf99bde90afe14ac Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:03:07 -0400 Subject: [PATCH 083/342] chore: renames fail file to have more explicit definition of the case Signed-off-by: Vincent Biret --- ...aml => path-item-object-conflicting-additional-operation.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/schema/fail/{path-item-object-example.yaml => path-item-object-conflicting-additional-operation.yaml} (100%) diff --git a/tests/schema/fail/path-item-object-example.yaml b/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml similarity index 100% rename from tests/schema/fail/path-item-object-example.yaml rename to tests/schema/fail/path-item-object-conflicting-additional-operation.yaml From 6ed7fe87fa704093b4d008d5b1628d27a26c2ed7 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:04:21 -0400 Subject: [PATCH 084/342] feat: adds query as "principal" operation type in path item Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index ed43a01f47..a3230d8193 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -292,6 +292,8 @@ $defs: $ref: '#/$defs/operation' trace: $ref: '#/$defs/operation' + query: + $ref: '#/$defs/operation' $ref: '#/$defs/specification-extensions' unevaluatedProperties: false From 61fee049b6194b7d039fa9da158f15d9842c1ae2 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:09:44 -0400 Subject: [PATCH 085/342] fix: excluded operations filter for additional operations Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 54 +++++++----------------------- 1 file changed, 12 insertions(+), 42 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index a3230d8193..4225253b63 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -234,48 +234,18 @@ $defs: type: object additionalProperties: $ref: '#/$defs/operation' - not: - anyOf: - - properties: - get: - $ref: '#/$defs/operation' - required: - - get - - properties: - put: - $ref: '#/$defs/operation' - required: - - put - - properties: - post: - $ref: '#/$defs/operation' - required: - - post - - properties: - delete: - $ref: '#/$defs/operation' - required: - - delete - - properties: - options: - $ref: '#/$defs/operation' - required: - - options - - properties: - head: - $ref: '#/$defs/operation' - required: - - head - - properties: - patch: - $ref: '#/$defs/operation' - required: - - patch - - properties: - trace: - $ref: '#/$defs/operation' - required: - - trace + propertyNames: + not: + enum: + - GET + - PUT + - POST + - DELETE + - OPTIONS + - HEAD + - PATCH + - TRACE + - QUERY get: $ref: '#/$defs/operation' put: From d3c477cffcf516cf990664c53c799178cadfa60c Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:12:32 -0400 Subject: [PATCH 086/342] docs: updates wording for additional operations exclusions Co-authored-by: Henry Andrews --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 8d91bbb1ec..b40e9aaad3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -932,7 +932,7 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | -| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry matching (case-insensitive) any operation that can be defined on the parent path item object. | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | From 2dc3e06e0c4ce68ba55056623fb021c68908d3c1 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:15:03 -0400 Subject: [PATCH 087/342] docs: updates additional operation samples to match hoisting of query Signed-off-by: Vincent Biret --- src/oas.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index 8d91bbb1ec..f1ec6922ca 100644 --- a/src/oas.md +++ b/src/oas.md @@ -988,10 +988,10 @@ This object MAY be extended with [Specification Extensions](#specification-exten } ], "additionalOperations": { - "QUERY": { - "description": "Returns pets based on ID", - "summary": "Find pets by ID", - "operationId": "queryPetsById", + "COPY": { + "description": "Copies pet information based on ID", + "summary": "Copies pets by ID", + "operationId": "copyPetsById", "responses": { "200": { "description": "pet response", @@ -1053,9 +1053,9 @@ parameters: type: string style: simple additionalOperations: - QUERY: - description: Returns pets based on ID - summary: Find pets by ID + COPY: + description: Copies pet information based on ID + summary: Copies pets by ID operationId: queryPetsById responses: '200': From 3fb4d91d34778fa8f53fcda3c2ef1b1db9e93086 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:16:44 -0400 Subject: [PATCH 088/342] ci: fixes pass example test Signed-off-by: Vincent Biret --- src/oas.md | 2 +- tests/schema/pass/path-item-object-example.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 48aab5f811..9875da3734 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1056,7 +1056,7 @@ additionalOperations: COPY: description: Copies pet information based on ID summary: Copies pets by ID - operationId: queryPetsById + operationId: copyPetsById responses: '200': description: pet response diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml index 46f7826c16..4507e31396 100644 --- a/tests/schema/pass/path-item-object-example.yaml +++ b/tests/schema/pass/path-item-object-example.yaml @@ -34,10 +34,10 @@ paths: type: string style: simple additionalOperations: - QUERY: - description: Returns pets based on ID - summary: Find pets by ID - operationId: queryPetsById + COPY: + description: Copies pet information based on ID + summary: Copies pets by ID + operationId: copyPetsById responses: '200': description: pet response From dd0cf1688efdd8542102be4169593dcaec7e858a Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 09:26:27 -0400 Subject: [PATCH 089/342] docs: adds a query example to pass tests Signed-off-by: Vincent Biret --- .../schema/pass/path-item-object-example.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml index 4507e31396..0ecc2d64fa 100644 --- a/tests/schema/pass/path-item-object-example.yaml +++ b/tests/schema/pass/path-item-object-example.yaml @@ -23,6 +23,25 @@ paths: text/html: schema: $ref: '#/components/schemas/ErrorModel' + query: + description: Returns pets based on ID + summary: Find pets by ID + operationId: queryPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' parameters: - name: id in: path From fc29d3a3d29df4d84fe306bce7436dd3d3f69534 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 10:01:32 -0400 Subject: [PATCH 090/342] docs: precisions around capitalization Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9875da3734..387ab2ea56 100644 --- a/src/oas.md +++ b/src/oas.md @@ -932,7 +932,7 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | -| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | From 9a53a9de558440a92c3751e89243cc573f300039 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 14:08:23 -0400 Subject: [PATCH 091/342] ci: restricts to RFC9110 methods syntax Co-authored-by: Henry Andrews --- src/schemas/validation/schema.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 4225253b63..202874c292 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -235,6 +235,9 @@ $defs: additionalProperties: $ref: '#/$defs/operation' propertyNames: + $comment: RFC9110 restricts methods to "1*tchar" in ABNF + pattern: "^[a-zA-Z0-9!#$%&'*+.-]+$" + "^" / "_" / "`" / "|" / "~" not: enum: - GET From 621d1c3a003af31ebac18e79beb6e8926c1af098 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 14:09:25 -0400 Subject: [PATCH 092/342] docs: adds the query method to the spec Co-authored-by: Henry Andrews --- src/oas.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/oas.md b/src/oas.md index 387ab2ea56..eec14fc939 100644 --- a/src/oas.md +++ b/src/oas.md @@ -932,6 +932,7 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | +| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html) as of this writing) or its RFC successor, on this path. | | additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | From ed5cfe4895218bd793b4d7863cb147605c364d58 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Mon, 31 Mar 2025 14:14:03 -0400 Subject: [PATCH 093/342] fix: tchar definition Signed-off-by: Vincent Biret --- src/schemas/validation/schema.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 202874c292..8a45260f74 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,8 +236,7 @@ $defs: $ref: '#/$defs/operation' propertyNames: $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.-]+$" - "^" / "_" / "`" / "|" / "~" + pattern: "^[a-zA-Z0-9!#$%&'*+.-^`|~]+$" not: enum: - GET From 480dc7506edee8924e1c9b94e4ba895ec7fea979 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 31 Mar 2025 12:29:20 -0700 Subject: [PATCH 094/342] Fix regex character class Co-authored-by: Ethan <133719+notEthan@users.noreply.github.com> --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 8a45260f74..f17b8d8ee5 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,7 +236,7 @@ $defs: $ref: '#/$defs/operation' propertyNames: $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.-^`|~]+$" + pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~-]+$" not: enum: - GET From 18261611f6798efc9643d962632a0d6be15240ea Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 31 Mar 2025 12:32:14 -0700 Subject: [PATCH 095/342] Fix character class in regular expression --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index f17b8d8ee5..003ca7a637 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,7 +236,7 @@ $defs: $ref: '#/$defs/operation' propertyNames: $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~-]+$" + pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~]+$-" not: enum: - GET From 3ee2d2485012d2d68dcab60b9192a011932b8874 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 31 Mar 2025 12:45:05 -0700 Subject: [PATCH 096/342] Undo my incorrect additional "fix" --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 003ca7a637..f17b8d8ee5 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,7 +236,7 @@ $defs: $ref: '#/$defs/operation' propertyNames: $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~]+$-" + pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~-]+$" not: enum: - GET From 0c4f6be57782a3498328ddb3425e8aec51e89cd9 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 1 Apr 2025 08:57:18 -0400 Subject: [PATCH 097/342] docs: typo fix in html attribute name Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index eec14fc939..ebb932af29 100644 --- a/src/oas.md +++ b/src/oas.md @@ -932,7 +932,7 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | -| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html) as of this writing) or its RFC successor, on this path. | +| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html) as of this writing) or its RFC successor, on this path. | | additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | From 238aacaa7e2b4a28beac367a6fdc10e92ca1a2a2 Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Tue, 1 Apr 2025 08:57:37 -0400 Subject: [PATCH 098/342] docs: schema regex fix Co-authored-by: Ralf Handl --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index f17b8d8ee5..3f804ad16b 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,7 +236,7 @@ $defs: $ref: '#/$defs/operation' propertyNames: $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.^`|~-]+$" + pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" not: enum: - GET From 8b3d66e3f91046331fb2ad9797defd90775e57d1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 27 Apr 2025 14:43:50 -0700 Subject: [PATCH 099/342] Run format-markdown --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 11c31c829c..fec35f28fb 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4166,7 +4166,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | -| deviceAuthorization| [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | +| deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4235,7 +4235,7 @@ The name used for each property MUST either correspond to a security scheme decl Property names that are identical to a component name under the Components Object MUST be treated as a component name. To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`) that collides with a component name (e.g. `#/components/securitySchemes/foo`), use the `.` path segment (e.g. `./foo`). -Using a Security Scheme component name that appears to be a URI is NOT RECOMMENDED, as the precedence of component-name-matching over URI resolution, which is necessary to maintain compatibility with prior OAS versions, is counter-intuitive. See also [Security Considerations](#security-considerations). +Using a Security Scheme component name that appears to be a URI is NOT RECOMMENDED, as the precedence of component-name-matching over URI resolution, which is necessary to maintain compatibility with prior OAS versions, is counter-intuitive. See also [Security Considerations](#security-considerations). A Security Requirement Object MAY refer to multiple security schemes in which case all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information. @@ -4248,7 +4248,7 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor ##### Patterned Fields | Field Pattern | Type | Description | -| --- | :---: | --- | +| ---- | :----: | ---- | | {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | ##### Security Requirement Object Examples @@ -4356,7 +4356,7 @@ In addition, OpenAPI Descriptions are processed by a wide variety of tooling for An OpenAPI Description describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. -The rules for connecting a [Security Requirement Object](#security-requirement-object) to a [Security Scheme Object](#security-scheme-object) under a [Components Object](#components-object) are ambiguous in a way that could be exploited. Specifically: +The rules for connecting a [Security Requirement Object](#security-requirement-object) to a [Security Scheme Object](#security-scheme-object) under a [Components Object](#components-object) are ambiguous in a way that could be exploited. Specifically: * It is implementation-defined whether a component name used by a Security Requirement Object in a referenced document is resolved from the entry document (RECOMMENDED) or the referenced document. * A Security Requirement Object that uses a URI to identify a Security Scheme Object can have the URI resolution hijacked by providing a Security Scheme component name identical to the URI, as the name lookup behavior takes precedence over URI resolution for compatibility with previous versions of the OAS. From 4ad28b5021b670682e6694f48946d9e3e44be288 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 11:53:41 -0700 Subject: [PATCH 100/342] Allow the Encoding Object in all locations There is no reason to restrict use of the `encoding` field of the Media Type Object to Request Body Objects only. Not only does this exclude legitimate use cases of returning multipart content (particularly as we fix the support for `multipart/mixed`), it also complicates implementation by requiring the handlingn of the Media Type Object to be context-aware. This is a rare change that both simplifies implementation and adds functionality. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 11c31c829c..12c23aa95e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1615,7 +1615,7 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | -| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The `encoding` field SHALL only apply to [Request Body Objects](#request-body-object), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 2029e0f617628f787c18992da162032626bf30a5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 13:39:07 -0700 Subject: [PATCH 101/342] Better wording for broad Encoding Object use This removes request body-specific wording where it was present. --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 12c23aa95e..cc5568a4c6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1759,7 +1759,7 @@ These fields MAY be used either with or without the RFC6570-style serialization | Field Name | Type | Description | | ---- | :----: | ---- | | contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. | -| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the request body media type is not a `multipart`. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the media type is not a `multipart`. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -1782,9 +1782,9 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. @@ -1793,8 +1793,8 @@ The absence of all three of those fields is the equivalent of using `content`, b ##### Encoding the `x-www-form-urlencoded` Media Type -To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object) under the [Request Body Object](#request-body-object). -This configuration means that the request body MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. +To work with content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). +This configuration means that the content MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. From f2879df2735e2043b967ab2d376f76bc8e64a28a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 1 May 2025 13:39:12 -0700 Subject: [PATCH 102/342] Arrange encoding information more clearly Refactor this to put the rules for mapping Encoding Objects to valules with the `encoding` field (which performs the mapping) rather than having most of it in the Encoding Object (which should focus on how to apply a single Encoding Object to a single value). This notably takes the special handling of arrays as repeated values out of the Encoding Object section (and the default `contentType` field value table) and moves it to the Media Type Object. The Encoding Object behavior is now consistent for all types, while the _mapping_ done by the `encoding` field handles the special case. The only change (as opposed to re-organization and re-wording) in this PR is the addition of a default `contentType` of `application/json` for array values, which in the context of the existing behavior is only relevant for array values nested under a top-level array. Past OAS versions were silent on this topic, and presumably it just does not come up much, but it was a gap we should fill. As dicussed in today's TDC call, we have increasing (and modern) use cases for supporting `multipart/mixed` (which we previously claimed to support but never did). This refactor makes possible future support easier by moving the array special case, which is governed by the `multipart/form-data` RFC, out of the Encoding Object (which needs to work with other `multipart` formats) and places it with the `encoding` field (which is web form-format-specific). --- src/oas.md | 62 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/src/oas.md b/src/oas.md index faf401ab7c..673a7c784f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -84,6 +84,8 @@ Some examples of possible media type definitions: application/vnd.github.v3.patch ``` +#### Media Type Registry + ### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. @@ -1615,10 +1617,33 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | -| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information for media types supporting name-value pairs and allowing duplicate names, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). | + This object MAY be extended with [Specification Extensions](#specification-extensions). +##### Encoding Usage and Restrictions + +To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as a property. +Array properties MUST be handled by applying the given Encoding Object to multiple parts (or query parameters) with the same `name`, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire values. + +The behavior of the `encoding` field is only defined for media types structured as name-value pairs that allow repeat values. +The order of these name-value pairs in the target media type is implementation-defined. + +For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). +See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. + +For `multipart/*`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part. +See [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +This usage of a `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) is defined for `multipart/form-data` ([[?RFC7578]]) and the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1). +Implementations MAY choose to support the `name` `Content-Disposition` parameter and the `encoding` field with other `multipart` formats, but this usage is unlikely to be supported by generic `multipart` implementations. + +See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. + +For all media types where no mapping is defined by either this specification or the [Media Type Registry](#media-type-registry), the `encoding` field SHALL be ignored. + ##### Media Type Examples ```json @@ -1732,21 +1757,11 @@ requestBody: To upload multiple files, a `multipart` media type MUST be used as shown under [Example: Multipart Form with Multiple Files](#example-multipart-form-with-multiple-files). -##### Support for x-www-form-urlencoded Request Bodies - -See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. - -##### Special Considerations for `multipart` Content - -See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. - #### Encoding Object -A single encoding definition applied to a single schema property. -See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. +A single encoding definition applied to a single value, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). -Properties are correlated with `multipart` parts using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. -In both cases, their order is implementation-defined. +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. @@ -1763,7 +1778,8 @@ These fields MAY be used either with or without the RFC6570-style serialization This object MAY be extended with [Specification Extensions](#specification-extensions). -The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: +The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant. +This table is based on the value to which the Encoding Object is being applied, which as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) is the array item for properties of type `"array"`, and the entire value for all other types. | `type` | `contentEncoding` | Default `contentType` | | ---- | ---- | ---- | @@ -1772,7 +1788,7 @@ The default values for `contentType` are as follows, where an _n/a_ in the `cont | `string` | _absent_ | `text/plain` | | `number`, `integer`, or `boolean` | _n/a_ | `text/plain` | | `object` | _n/a_ | `application/json` | -| `array` | _n/a_ | according to the `type` of the `items` schema | +| `array` | _n/a_ | `application/json` | Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. If `null` values are entirely omitted, then the `contentType` is irrelevant. @@ -1880,20 +1896,13 @@ However, this is not guaranteed, so it may be more interoperable to keep the pad ##### Encoding `multipart` Media Types -It is common to use `multipart/form-data` as a `Content-Type` when transferring forms as request bodies. In contrast to OpenAPI 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. - -The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). -Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -See [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. - -Various other `multipart` types, most notable `multipart/mixed` ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. -It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. +See [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) for guidance on correlating schema properties with parts. Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -+Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. +Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. +If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. @@ -1921,8 +1930,9 @@ requestBody: type: string format: binary addresses: - # default for arrays is based on the type in the `items` - # subschema, which is an object, so `application/json` + # for arrays, the Encoding Object applies to each item + # individually based on that item's type, which in this + # example is an object, so `application/json` type: array items: $ref: '#/components/schemas/Address' From 98229e0726d690104df05e508fe70a94f426cb91 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 4 May 2025 10:33:02 -0700 Subject: [PATCH 103/342] Improved wording --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 673a7c784f..6efd25c896 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1759,7 +1759,7 @@ To upload multiple files, a `multipart` media type MUST be used as shown under [ #### Encoding Object -A single encoding definition applied to a single value, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). +A single encoding definition applied to a single value, with the mapping of Encoding Objects to values determined by the [Media Type Object](@media-type-object) as described under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. @@ -1780,6 +1780,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant. This table is based on the value to which the Encoding Object is being applied, which as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) is the array item for properties of type `"array"`, and the entire value for all other types. +Therefore the `array` row in this table applies only to array values inside of a top-level array. | `type` | `contentEncoding` | Default `contentType` | | ---- | ---- | ---- | From 4fa8b7dcbcf072ce47be656b06b8bd9d94dc0593 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 5 May 2025 16:40:57 -0700 Subject: [PATCH 104/342] Fix wording error from copy-paste Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 6efd25c896..21107ef3f4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1624,7 +1624,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Encoding Usage and Restrictions -To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as a property. +To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as properties. Array properties MUST be handled by applying the given Encoding Object to multiple parts (or query parameters) with the same `name`, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire values. From bb0a4ca0128c14ce1be2032a22212404e7f02665 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 5 May 2025 16:41:10 -0700 Subject: [PATCH 105/342] Fix grammar. Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 21107ef3f4..e02c3a1c31 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1626,7 +1626,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as properties. Array properties MUST be handled by applying the given Encoding Object to multiple parts (or query parameters) with the same `name`, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire values. +For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire value. The behavior of the `encoding` field is only defined for media types structured as name-value pairs that allow repeat values. The order of these name-value pairs in the target media type is implementation-defined. From 35dc9355974ecf1391fd60e60d81abacf8a109a5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 5 May 2025 20:48:18 -0700 Subject: [PATCH 106/342] Clarify the rationale for the encoding field The oddities of its media type support derive from its history as the OAS implementation of web forms. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e02c3a1c31..2397c821fa 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1628,7 +1628,7 @@ To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's Array properties MUST be handled by applying the given Encoding Object to multiple parts (or query parameters) with the same `name`, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire value. -The behavior of the `encoding` field is only defined for media types structured as name-value pairs that allow repeat values. +The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values. The order of these name-value pairs in the target media type is implementation-defined. For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). From ed6073354be60af6d3f3b0801e6587fc443af5fa Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 7 May 2025 09:14:33 -0700 Subject: [PATCH 107/342] Remove media type registry mentions for encoding. This removes the more general language allowing for future expansion with the media type registry (although the general language still had the same effect of restricting to `multipart` and `application/x-www-form-urlencoded` in practice). --- src/oas.md | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/oas.md b/src/oas.md index 2397c821fa..ec69a54fe9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -84,8 +84,6 @@ Some examples of possible media type definitions: application/vnd.github.v3.patch ``` -#### Media Type Registry - ### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. @@ -1617,33 +1615,33 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | -| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information for media types supporting name-value pairs and allowing duplicate names, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). | - +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | This object MAY be extended with [Specification Extensions](#specification-extensions). ##### Encoding Usage and Restrictions +The `encoding` field defines how to map each [Encoding Object](#encoding-object) to a specific value in the data. + To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as properties. -Array properties MUST be handled by applying the given Encoding Object to multiple parts (or query parameters) with the same `name`, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -For all other property types, including array values within a top-level array, the Encoding Object MUST be applied to the entire value. +Array properties MUST be handled by applying the given Encoding Object to one part per array item, each with the same `name`, as is recommended by [[?RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. -The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values. +The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. The order of these name-value pairs in the target media type is implementation-defined. For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. -For `multipart/*`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part. -See [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. +For `multipart`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part, as is defined for `multipart/form-data` in [[?RFC7578]]. +See [[?RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. -This usage of a `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) is defined for `multipart/form-data` ([[?RFC7578]]) and the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1). -Implementations MAY choose to support the `name` `Content-Disposition` parameter and the `encoding` field with other `multipart` formats, but this usage is unlikely to be supported by generic `multipart` implementations. +Other `multipart` media types are not directly supported as they do not define a mechanism for part names. +However, the usage of a `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) is defined for the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1), which is not restricted to `multipart/form-data`. +Implementations MAY choose to support the a `Conent-Disposition` of `form-data` with a `name` parameter in other `multipart` media types in order to use the `encoding` field with them, but this usage is unlikely to be supported by generic `multipart` implementations. See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. -For all media types where no mapping is defined by either this specification or the [Media Type Registry](#media-type-registry), the `encoding` field SHALL be ignored. - ##### Media Type Examples ```json From 2ba61aaae8cde03c8c48136bf3c7bb953d0bb3b9 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 27 Apr 2025 13:06:32 -0700 Subject: [PATCH 108/342] Sequential media type support. The fundamental approach in this change was proposed by Karen Etheridge. This adds "itemSchema" as a schema to apply to each entry in a sequential media type instance. It also defines how to map sequential media tyes for use with "schema", and explains that "schema" applies to complete content only. JSON-based and text/event-stream media types are included. Co-authored-by: Karen Etheridge --- src/oas.md | 347 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 310 insertions(+), 37 deletions(-) diff --git a/src/oas.md b/src/oas.md index ec69a54fe9..2158c428f1 100644 --- a/src/oas.md +++ b/src/oas.md @@ -84,6 +84,40 @@ Some examples of possible media type definitions: application/vnd.github.v3.patch ``` +JSON-based and JSON-compatible YAML-based media types can make direct use of the [Schema Object](#schema-object) as the Object uses JSON Schema. +The use of the Schema Object with other media types is handled by mapping them into the JSON Schema [instance data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-instance-data-model). +These mappings may be implicit based on the media type, or explicit based on the values of particular fields. +Each mapping is addressed where the relevant media type is discussed in this section or under the [Media Type Object](#media-type-object) or [Encoding Object](#encoding-object) + +#### Sequential Media Types + +Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, separated by some delimiter, without any sort of header, footer, envelope, or other metadata in addition to the sequence. + +Some examples of sequential media types (including some that are not IANA-registered but are in common use) are: + +```text + application/jsonl + application/x-ndjson + application/json-seq + application/geo+json-seq + text/event-stream +``` + +In the first three above, the repeating structure is any [JSON value](https://tools.ietf.org/html/rfc8259#section-3). +The fourth repeats `application/geo+json`-structured values, while the last repeats a custom text format related to Server-Sent Events. + +Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. + +See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media type in a streaming context, including special considerations for `text/event-stream` content. + +#### Media Type Registry + +While the [Schema Object](#schema-object) is designed to describe and validate JSON, several other media types are commonly used in APIs. +Requirements regarding support for other media types are documented in this Media Types section and in several Object sections later in this specification. +For convenience and future extensibility, these are cataloged in the OpenAPI Initiative's [Media Type Registry](https://spec.openapis.org/registry/media-type/), which indicates where in this specification the relevant requirements can be found. + +See also the [Media Type Object](#media-type-object) for further information on working with specific media types. + ### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. @@ -279,7 +313,7 @@ The `contentMediaType` keyword is redundant if the media type is already set: If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. -The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload. The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets. +See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. ##### Migrating binary descriptions from OAS 3.0 @@ -1602,7 +1636,8 @@ content: #### Media Type Object -Each Media Type Object provides schema and examples for the media type identified by its key. +Each Media Type Object describes content structured in accordance with the media type identified by its key. +Multiple Media Type Objects can be used to describe content that can appear in any of several different media types. When `example` or `examples` are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. @@ -1612,13 +1647,71 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | Field Name | Type | Description | | ---- | :----: | ---- | -| schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | +| schema | [Schema Object](#schema-object) | A schema describing the complete content of the request, response, parameter, or header. | +| itemSchema> | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | | encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | This object MAY be extended with [Specification Extensions](#specification-extensions). +See also the [Media Type Registry](#media-type-registry). + +##### Complete vs Streaming Content + +The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). +Unless some sort of streaming JSON Schema processor is available, this requires loading the entire content into memory. +This poses a challenge for streamed media, particularly streams where the client is intended to choose when to stop reading as there is no well-defined end to the stream. + +###### Binary Streams + +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload. +The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets. +For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. + +###### Streaming Sequential Media Types + +The `itemSchema` field is provided to support streaming use case for sequential media types. +Unlike `schema`, which is applied to the complete content (treated as an array as described in the [sequential media types](#sequential-media-types) section), `itemSchema` MUST be applied to each item in the stream independently, which supports processing each item as it is read from the stream. + +Both `schema` and `itemSchema` MAY be used in the same Media Type Object, although doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. +OpenAPI Description authors are responsible for avoiding the use of the `schema` in any situation where tooling may not be able to discern when the content is complete. +For example, if partial content is read from a stream and then passed with the `schema` value to a schema evaluator that is unaware of the stream context, the results are well-defined but will not be meaningful in terms of validating a keyword like `maxItems` as there may be additional items in the stream that are unknown to the schema evaluator. + +##### Special Considerations for `text/event-stream` Content + +For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:`, property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). + +Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). + +The `text/event-stream` specification requires that fields with Unknown names, as well as `id` fields where the value contains `U+0000 NULL` be ignored. +These fields SHOULD NOT be present in the data used with the Schema Object. + +Field value types MUST be handled as specified by the `text/event-stream` specification (e.g. the `retry` field value is modeled as a JSON number that is expected to be of JSON Schema `type: integer`), and fields not given an explicit value type MUST be handled as strings. + +Some users of `text/event-stream` use a format such as JSON for field values, particularly the `data` field. +Use JSON Schema's keywords for working with the [contents of string-encoded data](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-a-vocabulary-for-the-conten), particularly `contentMediaType` and `contentSchema`, to describe and validate such fields with more detail than string-related validation keywords such as `pattern` can support. +Note that `contentSchema` is [not automatically validated by default](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-implementation-requirements-2) (see also the [Non-validating constraint keywords](#non-validating-constraint-keywords) section of this specification). + +The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the HTML specification as of the time of this writing: + +```YAML +type: array +items: + type: object + required: + - data + properties: + data: + type: string + event: + type: string + id: + type: string + retry: + type: integer +``` + ##### Encoding Usage and Restrictions The `encoding` field defines how to map each [Encoding Object](#encoding-object) to a specific value in the data. @@ -1644,40 +1737,12 @@ See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for furt ##### Media Type Examples -```json -{ - "application/json": { - "schema": { - "$ref": "#/components/schemas/Pet" - }, - "examples": { - "cat": { - "summary": "An example of a cat", - "value": { - "name": "Fluffy", - "petType": "Cat", - "color": "White", - "gender": "male", - "breed": "Persian" - } - }, - "dog": { - "summary": "An example of a dog with a cat's name", - "value": { - "name": "Puma", - "petType": "Dog", - "color": "Black", - "gender": "Female", - "breed": "Mixed" - } - }, - "frog": { - "$ref": "#/components/examples/frog-example" - } - } - } -} -``` +For form-related media type examples, see the [Encoding Object](#encoding-object). + +###### JSON + +Note that since this example is written in YAML, the Example Object `value` field can be formatted as YAML due to the trivial conversion to JSON. +This avoids needing to embed JSON as a string. ```yaml application/json: @@ -1704,6 +1769,214 @@ application/json: $ref: '#/components/examples/frog-example' ``` +Alternatively, since all JSON is valid YAML, the example value can use JSON syntax within a YAML document: + +```yaml +application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: { + "name": "Fluffy", + "petType": "Cat", + "color": "White", + "gender": "male", + "breed": "Persian" + } + dog: + summary: An example of a dog with a cat's name + value: { + "name": "Puma", + "petType": "Dog", + "color": "Black", + "gender": "Female", + "breed": "Mixed" + } + frog: + $ref: '#/components/examples/frog-example' +``` + +###### Sequential JSON + +For any [sequential media type](#sequential-media-types) where the items in the sequence are JSON values, no conversion of each value is required. +JSON Text Sequences ([[?RFC7464]] `application/json-seq` and [[?RFC8091]] the `+json-seq` structured suffix), [JSON Lines](https://jsonlines.org/) (`application/jsonl`), and [NDJSON](https://github.com/ndjson/ndjson-spec) (`application/x-ndjson`) are all in this category. +Note that the media types for JSON Lines and NDJSON are not registered with the IANA, but are in common use. + +The following example shows Media Type Objects for both streaming log entries and returning a fixed-length set in response to a query. +This shows the relationship between `schema` and `itemSchema`, and when to use each even though the `examples` field is the same either way. + +```YAML +components: + schemas: + LogEntry: + type: object + properties: + timestamp: + type: string + format: date-time + level: + type: integer + minimum: 0 + message: + type: string + Log: + type: array + items: + $ref: "#/components/schemas/LogEntry" + maxItems: 100 + examples: + LogJSONSeq: + summary: Log entries in application/json-seq + # JSON Text Sequences require an unprintable character + # that cannot be escaped in a YAML string, and therefore + # must be placed in an external document shown below + externalValue: examples/log.json-seq + LogJSONPerLine: + summary: Log entries in application/jsonl or application/x-ndjson + description: JSONL and NDJSON are identical for this example + # Note that the value must be written as a string with newlines, + # as JSONL and NDJSON are not valid YAML + value: | + {"timestamp": "1985-04-12T23:20:50.52Z", "level": 1, "message": "Hi!"} + {"timestamp": "1985-04-12T23:20:51.37Z", "level": 1, "message": "Bye!"} + responses: + LogStream: + description: | + A stream of JSON-format log messages that can be read + for as long as the application is running, and is available + in any of the sequential JSON media types. + content: + application/json-seq: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + JSON-SEQ: + $ref: "#/components/examples/LogJSONSeq" + application/jsonl: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + JSONL: + $ref: "#/components/examples/LogJSONPerLine" + application/x-ndjson: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + NDJSON: + $ref: "#/components/examples/LogJSONPerLine" + LogExcerpt: + description: | + A response consisting of no more than 100 log records, + generally as a result of a query of the historical log, + available in any of the sequential JSON media types. + content: + application/json-seq: + schema: + $ref: "#/components/schemas/Log" + examples: + JSON-SEQ: + $ref: "#/components/examples/LogJSONSeq" + application/jsonl: + schema: + $ref: "#/components/schemas/Log" + examples: + JSONL: + $ref: "#/components/examples/LogJSONPerLine" + application/x-ndjson: + schema: + $ref: "#/components/schemas/Log" + examples: + NDJSON: + $ref: "#/components/examples/LogJSONPerLine" +``` + +Our `application/json-seq` example has to be an external document because of the use of both newlines and of the unprintable Record Separator (`0x1E`) character, which cannot be escaped in YAML block literals: + +```JSONSEQ +0x1E{ + "timestamp": "1985-04-12T23:20:50.52Z", + "level": 1, + "message": "Hi!" +} +0x1E{ + "timestamp": "1985-04-12T23:20:51.37Z", + "level": 1, + "message": "Bye!" +} +``` + +###### Server-Sent Event Streams + +For this example, assume that the generic event schema provided in the "Special Considerations for `text/event-stream` Content" section is available at `#/components/schemas/Event`: + +```YAML +description: A request body to add a stream of typed data. +required: true +content: + text/event-stream: + itemSchema: + $ref: "#/components/schemas/Event" + required: [event] + oneOf: + - properties: + event: + const: addString + - properties: + event: + const: addNumber + data: + $comment: | + Since the data field is a string, + we need a format to signal that + it should be handled as a number + format: double + - properties: + event: + const: addJson + data: + $comment: | + These content fields indicate + that the string value should + be parsed and validated as a + JSON document (since JSON is not + a binary format, contentEncoding + is not needed) + contentMediaType: application/json + contentSchema: + type: object + required: [foo] + properties: + foo: + type: integer +``` + +The following `text/event-stream` document is an example of a valid request body for the above example: + +```EVENTSTREAM +event: addString +data: This data is formatted +data: across two lines +retry: 5 + +event: addNumber +data: 1234.5678 +unknownField: this is ignored + +: This is a comment +event: addJSON +data: {"foo": 42} +``` + +To more clearly see how this stream is handled, the following is the equivalent JSON Lines document, which shows how the numeric and JSON data are handled as strings, and how unknown fields and comments are ignored and not passed to schema validation: + +```JSONL +{"event": "addString", "data": "This data is formatted\nacross two lines", "retry": 5} +{"event": "addNumber", "data": "1234.5678"} +{"event": "addJSON", "data": "{\"foo\": 42}"} +``` + ##### Considerations for File Uploads In contrast to OpenAPI 2.0, `file` input/output content in OAS 3.x is described with the same semantics as any other schema type. From 4d8ea025e17187bdccacd7ff58ac7d6d7c27c063 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 27 Apr 2025 16:01:31 -0700 Subject: [PATCH 109/342] Schema for itemSchema Media Type Object field Co-authored-by: Karen Etheridge --- src/schemas/validation/schema.yaml | 2 ++ tests/schema/pass/media-type-examples.yaml | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 3f804ad16b..f03bc55586 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -505,6 +505,8 @@ $defs: properties: schema: $dynamicRef: '#meta' + itemSchema: + $dynamicRef: '#meta' encoding: type: object additionalProperties: diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index dd71a42008..3a8e880f7a 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -30,6 +30,9 @@ paths: breed: Mixed frog: $ref: '#/components/examples/frog-example' + application/jsonl: + itemSchema: + $ref: '#components/schemas/Pet' application/x-www-form-urlencoded: schema: type: object @@ -94,4 +97,4 @@ paths: allowReserved: true forCoverage2: style: spaceDelimited - explode: true \ No newline at end of file + explode: true From 1950075ac5a00e2c883b13934b72d6655a4e5ba6 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 28 Apr 2025 15:11:13 -0700 Subject: [PATCH 110/342] Remove stray markup character Co-authored-by: Greg Dennis --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 2158c428f1..223923b320 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1648,7 +1648,7 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | Field Name | Type | Description | | ---- | :----: | ---- | | schema | [Schema Object](#schema-object) | A schema describing the complete content of the request, response, parameter, or header. | -| itemSchema> | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | +| itemSchema | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | | encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | From c5832538eaf8c472e2887a94f39532a422925d14 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 28 Apr 2025 22:27:05 -0700 Subject: [PATCH 111/342] text/event-stream improvements Add a few more details. --- src/oas.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 223923b320..9b085b1073 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1680,11 +1680,12 @@ For example, if partial content is read from a stream and then passed with the ` ##### Special Considerations for `text/event-stream` Content -For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:`, property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). +For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:` (or the enter non-empty line if no ":" is present), property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). +Similarly, when a field name appears without a value, the value MUST be treated as an empty string. -The `text/event-stream` specification requires that fields with Unknown names, as well as `id` fields where the value contains `U+0000 NULL` be ignored. +The `text/event-stream` specification requires that fields with Unknown names, as well as `id` fields where the value contains `U+0000 NULL` and `retry` fields with characters other than ASCII digits be ignored. These fields SHOULD NOT be present in the data used with the Schema Object. Field value types MUST be handled as specified by the `text/event-stream` specification (e.g. the `retry` field value is modeled as a JSON number that is expected to be of JSON Schema `type: integer`), and fields not given an explicit value type MUST be handled as strings. @@ -1710,6 +1711,7 @@ items: type: string retry: type: integer + minimum: 0 ``` ##### Encoding Usage and Restrictions From d5916fd05eeabed9674ae8a66d9fd4a7ee1de696 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 29 Apr 2025 11:44:40 -0700 Subject: [PATCH 112/342] Better text/event-stream reference Co-authored-by: Thomas Rooney --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9b085b1073..aacc69610a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1682,7 +1682,7 @@ For example, if partial content is read from a stream and then passed with the ` For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:` (or the enter non-empty line if no ":" is present), property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). -Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). +Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream). Similarly, when a field name appears without a value, the value MUST be treated as an empty string. The `text/event-stream` specification requires that fields with Unknown names, as well as `id` fields where the value contains `U+0000 NULL` and `retry` fields with characters other than ASCII digits be ignored. From bd20d6d984983ed29ca8312377befe4644e939e7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 11:46:22 -0700 Subject: [PATCH 113/342] Clarify streaming binary/string usage. Tighten up the wording a bit to ensure the scope of this technique is immediately clear. --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index aacc69610a..2f2949c60d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1665,8 +1665,8 @@ This poses a challenge for streamed media, particularly streams where the client ###### Binary Streams -The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload. -The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets. +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or to unencoded binary data. +For unencoded binary, the length is the number of octets. For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. ###### Streaming Sequential Media Types From e83d8ed04cc41916761b90b79ae7f25e9d943c48 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 11:50:28 -0700 Subject: [PATCH 114/342] Use the same text/event-stream spec everywhere --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 2f2949c60d..b27e73293b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1680,7 +1680,7 @@ For example, if partial content is read from a stream and then passed with the ` ##### Special Considerations for `text/event-stream` Content -For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:` (or the enter non-empty line if no ":" is present), property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/iana.html#text/event-stream). +For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:` (or the enter non-empty line if no ":" is present), property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream). Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream). Similarly, when a field name appears without a value, the value MUST be treated as an empty string. From 4093055685299faa5c3d34adde1af3d41076a8b1 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 29 Apr 2025 21:29:12 -0700 Subject: [PATCH 115/342] Better wording: content vs media Co-authored-by: Dan Hudlow --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index b27e73293b..2509d4d22a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1661,7 +1661,7 @@ See also the [Media Type Registry](#media-type-registry). The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). Unless some sort of streaming JSON Schema processor is available, this requires loading the entire content into memory. -This poses a challenge for streamed media, particularly streams where the client is intended to choose when to stop reading as there is no well-defined end to the stream. +This poses a challenge for streamed content, particularly streams where the client is intended to choose when to stop reading as there is no well-defined end to the stream. ###### Binary Streams From ef309c28f0a10644bf5e6e309eab8d1feb4a9901 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 30 Apr 2025 21:22:13 -0700 Subject: [PATCH 116/342] Clarified wording Co-authored-by: Dan Hudlow --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 2509d4d22a..e096ca9fb2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1676,7 +1676,7 @@ Unlike `schema`, which is applied to the complete content (treated as an array a Both `schema` and `itemSchema` MAY be used in the same Media Type Object, although doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. OpenAPI Description authors are responsible for avoiding the use of the `schema` in any situation where tooling may not be able to discern when the content is complete. -For example, if partial content is read from a stream and then passed with the `schema` value to a schema evaluator that is unaware of the stream context, the results are well-defined but will not be meaningful in terms of validating a keyword like `maxItems` as there may be additional items in the stream that are unknown to the schema evaluator. +For example, if partial content is read from a stream and then passed with the `schema` value to a schema evaluator that is unaware of the stream context, the results will not be meaningful as there may be additional items in the stream that are necessary to or prohibitive of successful validation. ##### Special Considerations for `text/event-stream` Content From 8c4869cb9508ab2f04dc69dac2f991617b265db3 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 1 May 2025 08:27:36 -0700 Subject: [PATCH 117/342] Fix plural Co-authored-by: Dan Hudlow --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e096ca9fb2..8c9b4cb6dd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1671,7 +1671,7 @@ For this use case, `maxLength` MAY be implemented outside of regular JSON Schema ###### Streaming Sequential Media Types -The `itemSchema` field is provided to support streaming use case for sequential media types. +The `itemSchema` field is provided to support streaming use cases for sequential media types. Unlike `schema`, which is applied to the complete content (treated as an array as described in the [sequential media types](#sequential-media-types) section), `itemSchema` MUST be applied to each item in the stream independently, which supports processing each item as it is read from the stream. Both `schema` and `itemSchema` MAY be used in the same Media Type Object, although doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. From 98647df7f26ea8a96d5e0087e9e95df3a60c5380 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 1 May 2025 08:39:11 -0700 Subject: [PATCH 118/342] Review feedback from hudlow This streamlines the text/event-stream discussion and makes a few other tweaks based on feedback from @hudlow. --- src/oas.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/src/oas.md b/src/oas.md index 8c9b4cb6dd..c91cda8abb 100644 --- a/src/oas.md +++ b/src/oas.md @@ -91,7 +91,7 @@ Each mapping is addressed where the relevant media type is discussed in this sec #### Sequential Media Types -Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, separated by some delimiter, without any sort of header, footer, envelope, or other metadata in addition to the sequence. +Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, without any sort of header, footer, envelope, or other metadata in addition to the sequence. Some examples of sequential media types (including some that are not IANA-registered but are in common use) are: @@ -1660,8 +1660,8 @@ See also the [Media Type Registry](#media-type-registry). ##### Complete vs Streaming Content The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). -Unless some sort of streaming JSON Schema processor is available, this requires loading the entire content into memory. -This poses a challenge for streamed content, particularly streams where the client is intended to choose when to stop reading as there is no well-defined end to the stream. +Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. +Use cases where client is intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. ###### Binary Streams @@ -1680,13 +1680,7 @@ For example, if partial content is read from a stream and then passed with the ` ##### Special Considerations for `text/event-stream` Content -For `text/event-stream`, each item in the array MUST be treated as if it were a JSON object with property names taken from the left side of the `:` (or the enter non-empty line if no ":" is present), property values from the right side, and consecutive lines with the same name treated as a single property, with the value combined in accordance with the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream). - -Field names can be repeated within an item to allow splitting the value across multiple lines; such split values MUST be treated the same as if they were a single field, with newlines added as required by the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream). -Similarly, when a field name appears without a value, the value MUST be treated as an empty string. - -The `text/event-stream` specification requires that fields with Unknown names, as well as `id` fields where the value contains `U+0000 NULL` and `retry` fields with characters other than ASCII digits be ignored. -These fields SHOULD NOT be present in the data used with the Schema Object. +For `text/event-stream`, implementations MUST work with event data after it has been parsed according to the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream), including all guidance on ignoring certain fields (including comments) and/or values, and on combining values split across multiple lines. Field value types MUST be handled as specified by the `text/event-stream` specification (e.g. the `retry` field value is modeled as a JSON number that is expected to be of JSON Schema `type: integer`), and fields not given an explicit value type MUST be handled as strings. From eb66cba75c94e40476ffe6219b77441cf39eb157 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 1 May 2025 10:34:57 -0700 Subject: [PATCH 119/342] Remove caveat leftover from previous approach When we did not have `itemSchema`, we needed more guidance about improper use of `schema`, but we don't really need it now. --- src/oas.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index c91cda8abb..f7f42363b4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1674,9 +1674,8 @@ For this use case, `maxLength` MAY be implemented outside of regular JSON Schema The `itemSchema` field is provided to support streaming use cases for sequential media types. Unlike `schema`, which is applied to the complete content (treated as an array as described in the [sequential media types](#sequential-media-types) section), `itemSchema` MUST be applied to each item in the stream independently, which supports processing each item as it is read from the stream. -Both `schema` and `itemSchema` MAY be used in the same Media Type Object, although doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. -OpenAPI Description authors are responsible for avoiding the use of the `schema` in any situation where tooling may not be able to discern when the content is complete. -For example, if partial content is read from a stream and then passed with the `schema` value to a schema evaluator that is unaware of the stream context, the results will not be meaningful as there may be additional items in the stream that are necessary to or prohibitive of successful validation. +Both `schema` and `itemSchema` MAY be used in the same Media Type Object. +However, doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. ##### Special Considerations for `text/event-stream` Content From 5ab5b050e290be2746f59065f5bd3f0db9c159c0 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 2 May 2025 10:08:30 -0700 Subject: [PATCH 120/342] Fix wording Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7f42363b4..e20418673c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1665,7 +1665,7 @@ Use cases where client is intended to choose when to stop reading are particular ###### Binary Streams -The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or to unencoded binary data. +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. For unencoded binary, the length is the number of octets. For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. From 072c562c568726e005e73072f32add8bb06b1862 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 3 May 2025 18:28:23 -0700 Subject: [PATCH 121/342] Fix event-stream event schema It was wrapped in an array left over from the previous attempt at writing up this feature. --- src/oas.md | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/oas.md b/src/oas.md index e20418673c..66644f430f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1690,21 +1690,19 @@ Note that `contentSchema` is [not automatically validated by default](https://ww The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the HTML specification as of the time of this writing: ```YAML -type: array -items: - type: object - required: - - data - properties: - data: - type: string - event: - type: string - id: - type: string - retry: - type: integer - minimum: 0 +type: object +required: +- data +properties: + data: + type: string + event: + type: string + id: + type: string + retry: + type: integer + minimum: 0 ``` ##### Encoding Usage and Restrictions From 58f67f74459601e4c6b07eeb84f2c8ba8114a688 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 8 May 2025 11:03:33 -0700 Subject: [PATCH 122/342] int64 instead of double for numeric string example The format registry currently doesn't specify that double works with strings, so pick something that works with strings as of now. --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 66644f430f..f2e4eeb749 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1918,13 +1918,13 @@ content: const: addString - properties: event: - const: addNumber + const: addInt64 data: $comment: | Since the data field is a string, - we need a format to signal that - it should be handled as a number - format: double + we need a format to signal that it + should be handled as a 64-bit integer. + format: int64 - properties: event: const: addJson @@ -1953,7 +1953,7 @@ data: This data is formatted data: across two lines retry: 5 -event: addNumber +event: addInt64 data: 1234.5678 unknownField: this is ignored @@ -1966,7 +1966,7 @@ To more clearly see how this stream is handled, the following is the equivalent ```JSONL {"event": "addString", "data": "This data is formatted\nacross two lines", "retry": 5} -{"event": "addNumber", "data": "1234.5678"} +{"event": "addInt64", "data": "1234.5678"} {"event": "addJSON", "data": "{\"foo\": 42}"} ``` From 7bd8a15ecb6f8952acec93426bb9c60d8e093bcd Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 28 Feb 2025 07:03:31 -0800 Subject: [PATCH 123/342] Add `$self` for self-identifying documents This adds `$self` as a way for a document to define its own URI for use in reference targets, and as the base URI for relative URI references in the document. This does not impact the resolution of relative API URLs. --- src/oas.md | 184 ++++++++++++++++++++++++++++- src/schemas/validation/schema.yaml | 5 + 2 files changed, 186 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index f2e4eeb749..c4249d1997 100644 --- a/src/oas.md +++ b/src/oas.md @@ -342,13 +342,165 @@ Note that some URI fields are named `url` for historical reasons, but the descri Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2). +#### Establishing the Base URI -Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). -In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles below. + +The most common base URI source in the absence of the [OpenAPI Object's](#openapi-object) `$self` or the [Schema Object's](#schema-object) `$id` is the retrieval URI. +Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. +Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. +Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. + +##### Examples of Base URI Determination and Reference Resolution + +###### Base URI Within Content + +A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. +For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: + +```YAML +openapi: 3.2.0 +$self: https://example.com/openapi +info: + title: Example API + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: schemas/foo + schemas: + Foo: + $id: https://example.com/api/schemas/foo + properties: + bar: + $ref: bar + Bar: + $id: https://example.com/api/schemas/bar + type: string +``` + +In the example above, the `$ref` in the Request Body Object is resolved using `$self` as the base URI, producing `https://example.com/schemas/foo`. +This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. +That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. + +Note that referring to a schema with a JSON Pointer that crosses a Schema Object with a `$id` [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). +The JSON Schema specification does not address the case of using a pointer _to_ a Schema Object containing an `$id` without crossing into that Schema Object. +Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such schemas rather than JSON Pointers. + +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. + + +###### Base URI From Encapsulating Entity + +If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). + +This is common for Schema Objects encapsulated within an OpenAPI Document. +An example of an OpenAPI Document itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. +Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Document is not a requirement of this specification. + +```MULTIPART +--boundary-example +Content-Type: application/openapi+yaml +Content-Location: https://inaccessible-domain.com/api/openapi.yaml + +openapi: 3.2.0 +info: + title: Example API + version: 1.0 + externalDocs: + url: docs.html +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: "#/components/api/schemas/Foo" + schemas: + Foo: + properties: + bar: + $ref: schemas/bar + +--boundary-example +Content-Type: application/schema+json; schema=https://spec.openapis.org/oas/3.2/schema-base/YYYY-MM-DD +Content-Location: https://example.com/api/schemas/bar + +{ + "type": "string" +} + +--boundary-example +Content-Type: text/html +Content-Location: https://example.com/api/docs.html + + + + API Documentation + + +

Awesome documentation goes here

+ + +``` + +In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. +Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI Document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. +The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which allows the reference target to be located within the multipart archive. + +Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. + +###### Base URI From the Retrieval URI + +If no base URI is provided from either of the previous sources, the next source is the retrieval URI (RFC 3986 Section 5.1.3). + +For this example, assume that the YAML OpenAPI Document was retrieved from `https://example.com/api/openapis.yaml` and the JSON Schema document from `https://example.com/api/schemas/foo` + +Assume this document was retrieved from `https://example.com/api/openapis.yaml`: + +```YAML +openapi: 3.2.0 +info: + title: Example API + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: schemas/foo +``` + +Assume this document was retrieved from `https://example.com/api/schemas/foo`: + +```JSON +{ + "type": "object", + "properties": { + "bar": { + "type": "string" + } + } +} +``` + +Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI Document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. + +###### Application-Specific Default Base URI + +When constructing an OpenAPI Document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). +While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one avoids the need to implement it as a special case. + +#### Resolving URI fragments If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). +#### Relative URI References in CommonMark Fields + Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. ### Relative References in API URLs @@ -356,8 +508,29 @@ Relative references in CommonMark hyperlinks are resolved in their rendered cont API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +Because the API Is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. +#### Examples of API Base URL Determination + +Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: + +```YAML +openapi: 3.2.0 +$self: https://apidescriptions.example.com/foo +info: + title: Example API + version: 1.0 +servers: +- url: . + description: The production API on this device +- url: ./test + description: The test API on this device +``` + +For API URLs, the `$self` field, which identifies the OpenAPI Document, is ignored, and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. + ### Schema This section describes the structure of the OpenAPI Description format. @@ -376,6 +549,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). | Field Name | Type | Description | | ---- | :----: | ---- | | openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | +| $self | `string` | This string MUST be in the form of an absolute URI as defined by [[RFC3986]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc3986#section-4.3). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent, and for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | @@ -388,6 +562,8 @@ This is the root object of the [OpenAPI Description](#openapi-description). This object MAY be extended with [Specification Extensions](#specification-extensions). +Implementations MAY choose to support referencing OpenAPI Documents that contain `$self` by another URI such as the retrieval URI, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. + #### Info Object The object provides metadata about the API. @@ -516,6 +692,8 @@ An object representing a Server. This object MAY be extended with [Specification Extensions](#specification-extensions). +See [Examples of API Base URL Determination](#examples-of-api-base-url-determination) for examples of resolving relative server URLs. + ##### Server Object Example A single server would be described as: diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index f03bc55586..cc57c62530 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -8,6 +8,11 @@ properties: openapi: type: string pattern: '^3\.2\.\d+(-.+)?$' + $self: + type: string + format: uri + $comment: MUST NOT contain a fragment + pattern: '^[^#]*$' info: $ref: '#/$defs/info' jsonSchemaDialect: From 71ec162344cbbdb9f6d5e6ce3cac2cb0f67353f4 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 17:37:02 -0700 Subject: [PATCH 124/342] Fix missing multipart boundary --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index c4249d1997..cbf0de1123 100644 --- a/src/oas.md +++ b/src/oas.md @@ -424,7 +424,6 @@ components: properties: bar: $ref: schemas/bar - --boundary-example Content-Type: application/schema+json; schema=https://spec.openapis.org/oas/3.2/schema-base/YYYY-MM-DD Content-Location: https://example.com/api/schemas/bar @@ -432,7 +431,6 @@ Content-Location: https://example.com/api/schemas/bar { "type": "string" } - --boundary-example Content-Type: text/html Content-Location: https://example.com/api/docs.html @@ -445,6 +443,7 @@ Content-Location: https://example.com/api/docs.html

Awesome documentation goes here

+--boundary-example ``` In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. From db9f6435e11ff907382ff5c426cc1f4d161935e4 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 29 Apr 2025 20:38:26 -0700 Subject: [PATCH 125/342] Move base URI examples to appendix --- src/oas.md | 288 ++++++++++++++++++++++++++--------------------------- 1 file changed, 144 insertions(+), 144 deletions(-) diff --git a/src/oas.md b/src/oas.md index cbf0de1123..986e2e4e3b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -344,156 +344,13 @@ Unless specified otherwise, all fields that are URIs MAY be relative references #### Establishing the Base URI -Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles below. +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). The most common base URI source in the absence of the [OpenAPI Object's](#openapi-object) `$self` or the [Schema Object's](#schema-object) `$id` is the retrieval URI. Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. -##### Examples of Base URI Determination and Reference Resolution - -###### Base URI Within Content - -A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. -For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: - -```YAML -openapi: 3.2.0 -$self: https://example.com/openapi -info: - title: Example API - version: 1.0 -components: - requestBodies: - Foo: - content: - application/json: - schema: - $ref: schemas/foo - schemas: - Foo: - $id: https://example.com/api/schemas/foo - properties: - bar: - $ref: bar - Bar: - $id: https://example.com/api/schemas/bar - type: string -``` - -In the example above, the `$ref` in the Request Body Object is resolved using `$self` as the base URI, producing `https://example.com/schemas/foo`. -This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. -That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. - -Note that referring to a schema with a JSON Pointer that crosses a Schema Object with a `$id` [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). -The JSON Schema specification does not address the case of using a pointer _to_ a Schema Object containing an `$id` without crossing into that Schema Object. -Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such schemas rather than JSON Pointers. - -Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. - - -###### Base URI From Encapsulating Entity - -If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). - -This is common for Schema Objects encapsulated within an OpenAPI Document. -An example of an OpenAPI Document itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. -Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Document is not a requirement of this specification. - -```MULTIPART ---boundary-example -Content-Type: application/openapi+yaml -Content-Location: https://inaccessible-domain.com/api/openapi.yaml - -openapi: 3.2.0 -info: - title: Example API - version: 1.0 - externalDocs: - url: docs.html -components: - requestBodies: - Foo: - content: - application/json: - schema: - $ref: "#/components/api/schemas/Foo" - schemas: - Foo: - properties: - bar: - $ref: schemas/bar ---boundary-example -Content-Type: application/schema+json; schema=https://spec.openapis.org/oas/3.2/schema-base/YYYY-MM-DD -Content-Location: https://example.com/api/schemas/bar - -{ - "type": "string" -} ---boundary-example -Content-Type: text/html -Content-Location: https://example.com/api/docs.html - - - - API Documentation - - -

Awesome documentation goes here

- - ---boundary-example -``` - -In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. -Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI Document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. -The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which allows the reference target to be located within the multipart archive. - -Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. - -###### Base URI From the Retrieval URI - -If no base URI is provided from either of the previous sources, the next source is the retrieval URI (RFC 3986 Section 5.1.3). - -For this example, assume that the YAML OpenAPI Document was retrieved from `https://example.com/api/openapis.yaml` and the JSON Schema document from `https://example.com/api/schemas/foo` - -Assume this document was retrieved from `https://example.com/api/openapis.yaml`: - -```YAML -openapi: 3.2.0 -info: - title: Example API - version: 1.0 -components: - requestBodies: - Foo: - content: - application/json: - schema: - $ref: schemas/foo -``` - -Assume this document was retrieved from `https://example.com/api/schemas/foo`: - -```JSON -{ - "type": "object", - "properties": { - "bar": { - "type": "string" - } - } -} -``` - -Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI Document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. - -###### Application-Specific Default Base URI - -When constructing an OpenAPI Document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). -While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one avoids the need to implement it as a special case. - #### Resolving URI fragments If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). @@ -5338,3 +5195,146 @@ components: ``` In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. + +## Appendix G: Examples of Base URI Determination and Reference Resolution + +### Base URI Within Content + +A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. +For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: + +```YAML +openapi: 3.2.0 +$self: https://example.com/openapi +info: + title: Example API + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: schemas/foo + schemas: + Foo: + $id: https://example.com/api/schemas/foo + properties: + bar: + $ref: bar + Bar: + $id: https://example.com/api/schemas/bar + type: string +``` + +In the example above, the `$ref` in the Request Body Object is resolved using `$self` as the base URI, producing `https://example.com/schemas/foo`. +This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. +That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. + +Note that referring to a schema with a JSON Pointer that crosses a Schema Object with a `$id` [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). +The JSON Schema specification does not address the case of using a pointer _to_ a Schema Object containing an `$id` without crossing into that Schema Object. +Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such schemas rather than JSON Pointers. + +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. + + +### Base URI From Encapsulating Entity + +If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). + +This is common for Schema Objects encapsulated within an OpenAPI Document. +An example of an OpenAPI Document itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. +Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Document is not a requirement of this specification. + +```MULTIPART +--boundary-example +Content-Type: application/openapi+yaml +Content-Location: https://inaccessible-domain.com/api/openapi.yaml + +openapi: 3.2.0 +info: + title: Example API + version: 1.0 + externalDocs: + url: docs.html +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: "#/components/api/schemas/Foo" + schemas: + Foo: + properties: + bar: + $ref: schemas/bar +--boundary-example +Content-Type: application/schema+json; schema=https://spec.openapis.org/oas/3.2/schema-base/YYYY-MM-DD +Content-Location: https://example.com/api/schemas/bar + +{ + "type": "string" +} +--boundary-example +Content-Type: text/html +Content-Location: https://example.com/api/docs.html + + + + API Documentation + + +

Awesome documentation goes here

+ + +--boundary-example +``` + +In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. +Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI Document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. +The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which allows the reference target to be located within the multipart archive. + +Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. + +### Base URI From the Retrieval URI + +If no base URI is provided from either of the previous sources, the next source is the retrieval URI (RFC 3986 Section 5.1.3). + +For this example, assume that the YAML OpenAPI Document was retrieved from `https://example.com/api/openapis.yaml` and the JSON Schema document from `https://example.com/api/schemas/foo` + +Assume this document was retrieved from `https://example.com/api/openapis.yaml`: + +```YAML +openapi: 3.2.0 +info: + title: Example API + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: schemas/foo +``` + +Assume this document was retrieved from `https://example.com/api/schemas/foo`: + +```JSON +{ + "type": "object", + "properties": { + "bar": { + "type": "string" + } + } +} +``` + +Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI Document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. + +### Application-Specific Default Base URI + +When constructing an OpenAPI Document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). +While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one avoids the need to implement it as a special case. From 2832652e1e6c126a4f9f95ec1c0982d368a2c2b1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 30 Apr 2025 12:14:43 -0700 Subject: [PATCH 126/342] Improved examples Including fixing a bug in one of the URIs. --- src/oas.md | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 986e2e4e3b..f07d7c7dfe 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5203,19 +5203,36 @@ In the `other` document, the referenced path item has a Security Requirement for A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: +Assume the retrieval URI of the following document is `file://home/someone/src/api/openapi.yaml`: + ```YAML openapi: 3.2.0 -$self: https://example.com/openapi +$self: https://example.com/api/openapi info: title: Example API version: 1.0 +paths: + /foo: + get: + requestBody: + $ref: "shared#/components/requestBodies/Foo" +``` + +Assume the retrieval URI for the following document is `https://git.example.com/shared/blob/main/shared/foo.yaml`: + +```YAML +openapi: 3.2.0 +$self: https://example.com/api/shared/foo +info: + title: Shared components for all APIs + version: 1.0 components: requestBodies: Foo: content: application/json: schema: - $ref: schemas/foo + $ref: ../schemas/foo schemas: Foo: $id: https://example.com/api/schemas/foo @@ -5227,7 +5244,12 @@ components: type: string ``` -In the example above, the `$ref` in the Request Body Object is resolved using `$self` as the base URI, producing `https://example.com/schemas/foo`. +In this example, the retrieval URIs are irrelevant because both documents define `$self`. + +For the relative `$ref` in the first document, it is resolved against `$self` to produce `https://example.com/shared/foo#/components/requestBodies/Foo`. +The portion of that URI before the '#' matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. + +In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/schemas/foo`. This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. @@ -5237,7 +5259,6 @@ Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. - ### Base URI From Encapsulating Entity If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). @@ -5246,6 +5267,8 @@ This is common for Schema Objects encapsulated within an OpenAPI Document. An example of an OpenAPI Document itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Document is not a requirement of this specification. +RFC2557 was written to allow sending hyperlinked sets of documents as email attachments, in which case there would not be a retrieval URI for the multipart attachment (although the format could also be used in HTTP as well). + ```MULTIPART --boundary-example Content-Type: application/openapi+yaml @@ -5293,7 +5316,7 @@ Content-Location: https://example.com/api/docs.html In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI Document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. -The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which allows the reference target to be located within the multipart archive. +The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which according to RFC2557 allows the reference target to be located within the multipart archive. Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. From 4435fd3d7b96094e13a44feeae3369bade0d9e46 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 3 May 2025 18:31:39 -0700 Subject: [PATCH 127/342] Fix more example bugs Never change your directory structure halfway through writing examples... --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index f07d7c7dfe..e110ccc235 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5215,7 +5215,7 @@ paths: /foo: get: requestBody: - $ref: "shared#/components/requestBodies/Foo" + $ref: "shared/foo#/components/requestBodies/Foo" ``` Assume the retrieval URI for the following document is `https://git.example.com/shared/blob/main/shared/foo.yaml`: @@ -5249,7 +5249,7 @@ In this example, the retrieval URIs are irrelevant because both documents define For the relative `$ref` in the first document, it is resolved against `$self` to produce `https://example.com/shared/foo#/components/requestBodies/Foo`. The portion of that URI before the '#' matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. -In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/schemas/foo`. +In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/api/schemas/foo`. This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. From 182ca17dfb348597328c5456ca2d0a440e6ccb85 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 8 May 2025 10:12:41 -0700 Subject: [PATCH 128/342] All example URI paths start with /api/... Fix the $self resolution examples to consistently use /api/, which is used in all of the relevant base URIs and is not impacted by any of the relative paths. --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index e110ccc235..cfe8453e81 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5246,18 +5246,18 @@ components: In this example, the retrieval URIs are irrelevant because both documents define `$self`. -For the relative `$ref` in the first document, it is resolved against `$self` to produce `https://example.com/shared/foo#/components/requestBodies/Foo`. +For the relative `$ref` in the first document, it is resolved against `$self` to produce `https://example.com/api/shared/foo#/components/requestBodies/Foo`. The portion of that URI before the '#' matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/api/schemas/foo`. This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. -That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. +That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/api/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. Note that referring to a schema with a JSON Pointer that crosses a Schema Object with a `$id` [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). The JSON Schema specification does not address the case of using a pointer _to_ a Schema Object containing an `$id` without crossing into that Schema Object. Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such schemas rather than JSON Pointers. -Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. ### Base URI From Encapsulating Entity From 7be51a40042ae45d37b95f67863b594615041232 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 8 May 2025 11:02:16 -0700 Subject: [PATCH 129/342] Allow relative `$self`, include examples This also further clarifies the need to use `$self` in reference targets for interoperability even if other URIs might work in some cases. --- src/oas.md | 61 ++++++++++++++++++++++++++++-- src/schemas/validation/schema.yaml | 2 +- 2 files changed, 59 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index cfe8453e81..57e54504b3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -346,7 +346,9 @@ Unless specified otherwise, all fields that are URIs MAY be relative references Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). -The most common base URI source in the absence of the [OpenAPI Object's](#openapi-object) `$self` or the [Schema Object's](#schema-object) `$id` is the retrieval URI. +If `$self` is a relative URI-reference, it is resolved agains the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. + +The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. @@ -405,7 +407,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). | Field Name | Type | Description | | ---- | :----: | ---- | | openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | -| $self | `string` | This string MUST be in the form of an absolute URI as defined by [[RFC3986]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc3986#section-4.3). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent, and for examples of using `$self` to resolve references. | +| $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix G]((#appendix-g-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | @@ -419,6 +421,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). This object MAY be extended with [Specification Extensions](#specification-extensions). Implementations MAY choose to support referencing OpenAPI Documents that contain `$self` by another URI such as the retrieval URI, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. +OAD authors MUST write references using the target document's `$self` URI in order to have interoperable behavior. #### Info Object @@ -5198,6 +5201,8 @@ In the `other` document, the referenced path item has a Security Requirement for ## Appendix G: Examples of Base URI Determination and Reference Resolution +This section shows each of the four possible sources of base URIs, followed by an example with a relative `$self` and `$id`. + ### Base URI Within Content A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. @@ -5360,4 +5365,54 @@ Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI Docum ### Application-Specific Default Base URI When constructing an OpenAPI Document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). -While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one avoids the need to implement it as a special case. +While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one, such as a URN with a randomly generated UUID (e.g. `urn:uuid:f26cdaad-3193-4398-a838-4ecb7326c4c5`) avoids the need to implement it as a special case. + +### Resolving Relative `$self` and `$id` + +Let's re-consider the first example in this appendix, but with relative URI-references for `$self` and `$id`, and retrieval URLs that support that relative usage: + + +Assume that the following is retrieved from `https://staging.example.com/api/openapi`: + +```YAML +openapi: 3.2.0 +$self: /api/openapi +info: + title: Example API + version: 1.0 +paths: + /foo: + get: + requestBody: + $ref: "shared/foo#/components/requestBodies/Foo" +``` + +Assume the retrieval URI for the following document is `https://staging.example.com/api/shared/foo`: + +```YAML +openapi: 3.2.0 +$self: /api/shared/foo +info: + title: Shared components for all APIs + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: ../schemas/foo + schemas: + Foo: + $id: /api/schemas/foo + properties: + bar: + $ref: bar + Bar: + $id: /api/schemas/bar + type: string +``` + +In this example, All of the `$self` and `$id` values are relative URI-references consisting of an absolute path. +This allows the retrieval URL to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. +Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index cc57c62530..bbaa260abf 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -10,7 +10,7 @@ properties: pattern: '^3\.2\.\d+(-.+)?$' $self: type: string - format: uri + format: uri-reference $comment: MUST NOT contain a fragment pattern: '^[^#]*$' info: From 4068c092c63d4599050ea2559c79a13a01245a04 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 11 May 2025 08:33:58 -0700 Subject: [PATCH 130/342] Fix another base URI example bug --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 57e54504b3..baec25b134 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5277,7 +5277,7 @@ RFC2557 was written to allow sending hyperlinked sets of documents as email atta ```MULTIPART --boundary-example Content-Type: application/openapi+yaml -Content-Location: https://inaccessible-domain.com/api/openapi.yaml +Content-Location: https://example.com/api/openapi.yaml openapi: 3.2.0 info: From c817eb7fcc6844bc679f6bc18a2236b648c3cdbb Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Tue, 17 Dec 2024 15:41:45 +0100 Subject: [PATCH 131/342] Editorial change: Link Object points to Operation Object --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f2e4eeb749..351a618664 100644 --- a/src/oas.md +++ b/src/oas.md @@ -230,7 +230,7 @@ In some cases, an unambiguous URI-based alternative is available, and OAD author | [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | | [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | | [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | -| [Link Object](#link-object) `operationId` | [Path Item Object](#path-item-object) `operationId` | `operationRef` | +| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. From 1b1129690af64382aa46b9987121188045f48ce1 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 16:53:26 +0100 Subject: [PATCH 132/342] Editorial change: fix typo in Link Object description --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 351a618664..bbf31b4c73 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2773,7 +2773,7 @@ For computing links and providing instructions to execute them, a [runtime expre This object MAY be extended with [Specification Extensions](#specification-extensions). A linked operation MUST be identified using either an `operationRef` or `operationId`. -The identified or reference operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). +The identified or referenced operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). Because of the potential for name clashes, the `operationRef` syntax is preferred for multi-document OADs. However, because use of an operation depends on its URL path template in the [Paths Object](#paths-object), operations from any [Path Item Object](#path-item-object) that is referenced multiple times within the OAD cannot be resolved unambiguously. In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error. From dc94d9528c74994a5dfae7303a0605a788a32aa5 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 18:38:50 +0100 Subject: [PATCH 133/342] Editorial change: add Header Object to Generating and Validating URIs section --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index bbf31b4c73..458858b859 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5024,7 +5024,7 @@ This specification normatively cites the following relevant standards: Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. -Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. +Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. From 393ab027d8d985f9caa2d524e3ef25f335c9ac23 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 14:22:50 +0100 Subject: [PATCH 134/342] Editorial change: Include Header Object into 'Working With Examples' section --- src/oas.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 458858b859..7b21367993 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2598,19 +2598,19 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples -Example Objects can be used in both [Parameter Objects](#parameter-object) and [Media Type Objects](#media-type-object). +Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object) and [Media Type Objects](#media-type-object). In both Objects, this is done through the `examples` (plural) field. -However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in both Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of both Objects. +However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. -The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's [Encoding Object](#encoding-object). +The mutually exclusive fields in the Parameter, Header or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. -The singular `example` field in the Parameter or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +The singular `example` field in the Parameter, Header or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. Some examples cannot be represented directly in JSON or YAML. For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. From 840d5acb8f08b216876fa5708d7a36d5956ce9ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:32 +0100 Subject: [PATCH 135/342] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 7b21367993..fcc37dc32b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2598,7 +2598,7 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples -Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object) and [Media Type Objects](#media-type-object). +Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). In both Objects, this is done through the `examples` (plural) field. However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. From b25ecf1324401680430b24ecdfb78e722b5b9fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:39 +0100 Subject: [PATCH 136/342] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index fcc37dc32b..d40b544f6e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2599,7 +2599,7 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). -In both Objects, this is done through the `examples` (plural) field. +In all three Objects, this is done through the `examples` (plural) field. However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. From 6df11ebe889386f27580843a25ead50031354c2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:45 +0100 Subject: [PATCH 137/342] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index d40b544f6e..bc4cda47dd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2606,7 +2606,7 @@ Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter, Header or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. From 4c3d5e0ba02030072dbcc112e566cc4891c709dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:51 +0100 Subject: [PATCH 138/342] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index bc4cda47dd..840e6bf836 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2610,7 +2610,7 @@ The mutually exclusive fields in the Parameter, Header, or Media Type Objects ar The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. -The singular `example` field in the Parameter, Header or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +The singular `example` field in the Parameter, Header, or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. Some examples cannot be represented directly in JSON or YAML. For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. From dce4f8adf4bd8293528539af9cb527b7035cc360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 21:56:13 +0100 Subject: [PATCH 139/342] Update src/oas.md Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 840e6bf836..4a390cb2ea 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2606,7 +2606,7 @@ Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter, serialized header, or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. From 808506423295aa0e6b9c7386d84d51c7d37e7ee7 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 19 Dec 2024 21:23:31 +0100 Subject: [PATCH 140/342] Introduce constraints for Server Object url fixed field --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4a390cb2ea..707bb4370a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -509,7 +509,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of a URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | An optional unique string to refer to the host designated by the URL. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From a681d3e2e630f46ef782208d938105d2ffb81569 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Fri, 20 Dec 2024 12:50:18 +0100 Subject: [PATCH 141/342] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 707bb4370a..e6335f6f08 100644 --- a/src/oas.md +++ b/src/oas.md @@ -509,7 +509,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of a URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | An optional unique string to refer to the host designated by the URL. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From 1a65883ab1cfff12367d89619c515c816ea8717c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Fri, 20 Dec 2024 12:59:41 +0100 Subject: [PATCH 142/342] Update src/oas.md --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e6335f6f08..1cfdb9577c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -509,7 +509,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST NOT be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | An optional unique string to refer to the host designated by the URL. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From 40c3d5fd13e9aacb047b64843f49e8e2192b15cc Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Fri, 27 Dec 2024 14:58:56 +0100 Subject: [PATCH 143/342] Editorial change: fix anchor to Components.securitySchemes Signed-off-by: Vladimir Gorej --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 1cfdb9577c..fde8587c87 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4506,7 +4506,7 @@ flows: Lists the required security schemes to execute this operation. -The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object), or be the URI of a Security Scheme Object. +The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#components-security-schemes) under the [Components Object](#components-object), or be the URI of a Security Scheme Object. Property names that are identical to a component name under the Components Object MUST be treated as a component name. To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`) that collides with a component name (e.g. `#/components/securitySchemes/foo`), use the `.` path segment (e.g. `./foo`). From 4e74e52fbfa1e5b7c40455eaaf9f5487e96550f5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 8 Jan 2025 17:36:20 -0800 Subject: [PATCH 144/342] Fix copy-paste "format: binary" error These examples got copied from 3.0.4 and apparently I forgot to adjust them for 3.1.1 and no one else noticed. --- src/oas.md | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/src/oas.md b/src/oas.md index fde8587c87..52e7d3aeb8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2186,18 +2186,18 @@ requestBody: schema: type: object properties: + # default for a string without `contentEncoding` is `text/plain` id: - # default for primitives without a special format is text/plain type: string format: uuid - profileImage: - # default for string with binary format is `application/octet-stream` - type: string - format: binary + + # default for a schema withhout `type` is `application/octet-stream` + profileImage: {} + + # for arrays, the Encoding Object applies to each item + # individually based on that item's type, which in this + # example is an object, so `application/json` addresses: - # for arrays, the Encoding Object applies to each item - # individually based on that item's type, which in this - # example is an object, so `application/json` type: array items: $ref: '#/components/schemas/Address' @@ -2215,31 +2215,27 @@ requestBody: schema: type: object properties: + # No Encoding Object, so use default `text/plain` id: - # default is `text/plain` type: string format: uuid + + # Encoding Object overrides the default `application/json` + # for each item in the array with `application/xml; charset=utf-8` addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead description: addresses in XML format type: array items: $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary + + # Encoding Object accepts only PNG or JPEG, and also describes + # a custom header for just this part in the multipart format + profileImage: {} + encoding: addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array contentType: application/xml; charset=utf-8 profileImage: - # only accept png or jpeg contentType: image/png, image/jpeg headers: X-Rate-Limit-Limit: From 1dd8c5bfd1952f0cb380448ec210ef3a8cdc7667 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 10 Jan 2025 15:49:38 +0100 Subject: [PATCH 145/342] Typo --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 52e7d3aeb8..f7238ce6e5 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2191,7 +2191,7 @@ requestBody: type: string format: uuid - # default for a schema withhout `type` is `application/octet-stream` + # default for a schema without `type` is `application/octet-stream` profileImage: {} # for arrays, the Encoding Object applies to each item From 00b5f8f7bc1f165269d43c03f2abe8f823662448 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 15 Jan 2025 12:18:31 -0800 Subject: [PATCH 146/342] Feedback from mkistler about contentEncoding --- src/oas.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index f7238ce6e5..8e2476cfe1 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2139,8 +2139,9 @@ requestBody: name: type: string icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. + # The default content type with "contentEncoding" present + # is application/octet-stream, # so we need to set the correct + # image media type(s) in the Encoding Object. type: string contentEncoding: base64url encoding: @@ -2186,17 +2187,21 @@ requestBody: schema: type: object properties: - # default for a string without `contentEncoding` is `text/plain` + # default content type for a string without `contentEncoding` + # is `text/plain` id: type: string format: uuid - # default for a schema without `type` is `application/octet-stream` + # default content type for a schema without `type` + # is `application/octet-stream` profileImage: {} - # for arrays, the Encoding Object applies to each item - # individually based on that item's type, which in this - # example is an object, so `application/json` + # for arrays, the `encoding` field applies the Encoding Object + # to each item individually and determines the default content type + # based on the type in the `items` subschema, which in this example + # is an object, so the default content type for each item is + # `application/json` addresses: type: array items: @@ -2220,7 +2225,7 @@ requestBody: type: string format: uuid - # Encoding Object overrides the default `application/json` + # Encoding Object overrides the default `application/json` content type # for each item in the array with `application/xml; charset=utf-8` addresses: description: addresses in XML format From 9a1a7c0162dc9923a4c11d3c3cea6a23aded4fb4 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 16 Jan 2025 17:26:51 +0100 Subject: [PATCH 147/342] Apply suggestions from code review Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 8e2476cfe1..72d144584b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2140,7 +2140,7 @@ requestBody: type: string icon: # The default content type with "contentEncoding" present - # is application/octet-stream, # so we need to set the correct + # is application/octet-stream, so we need to set the correct # image media type(s) in the Encoding Object. type: string contentEncoding: base64url From 0f6db5f25cc5dbb748491370f493e1358219d8c0 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 13 Feb 2025 23:27:00 +0100 Subject: [PATCH 148/342] Update src schema with changes from #4328 --- src/schemas/validation/schema.yaml | 32 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index f03bc55586..a963aedc2d 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -12,7 +12,7 @@ properties: $ref: '#/$defs/info' jsonSchemaDialect: type: string - format: uri + format: uri-reference default: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' servers: type: array @@ -64,7 +64,7 @@ $defs: type: string termsOfService: type: string - format: uri + format: uri-reference contact: $ref: '#/$defs/contact' license: @@ -85,7 +85,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference email: type: string format: email @@ -102,7 +102,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - name dependentSchemas: @@ -319,7 +319,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - url $ref: '#/$defs/specification-extensions' @@ -620,7 +620,7 @@ $defs: value: true externalValue: type: string - format: uri + format: uri-reference not: required: - value @@ -864,7 +864,7 @@ $defs: properties: openIdConnectUrl: type: string - format: uri + format: uri-reference required: - openIdConnectUrl @@ -900,10 +900,10 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -917,10 +917,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -934,10 +934,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -951,13 +951,13 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: From 10fc7c85d19629beb64777abed26bbea0e104c6e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 27 Mar 2025 08:49:58 -0700 Subject: [PATCH 149/342] Discrimator -> Discriminator We do not have a feature that discriminates against tomatoes (this joke may not translate too all English-speaking regions, much less other languages :-) --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 72d144584b..532ae86b8b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -252,7 +252,7 @@ There are no URI-based alternatives for the Operation Object's `tags` field. OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. -The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. From 966c0c6003d16a8a917c17a443cfc8cbaffff38e Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 12 May 2025 13:28:02 -0700 Subject: [PATCH 150/342] Apply suggestions from code review Co-authored-by: Ralf Handl --- src/oas.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index baec25b134..f30e257b0b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -387,7 +387,7 @@ servers: description: The test API on this device ``` -For API URLs, the `$self` field, which identifies the OpenAPI Document, is ignored, and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. +For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. ### Schema @@ -5329,8 +5329,6 @@ Similarly, the `url` field of the [External Documentation Object](#external-docu If no base URI is provided from either of the previous sources, the next source is the retrieval URI (RFC 3986 Section 5.1.3). -For this example, assume that the YAML OpenAPI Document was retrieved from `https://example.com/api/openapis.yaml` and the JSON Schema document from `https://example.com/api/schemas/foo` - Assume this document was retrieved from `https://example.com/api/openapis.yaml`: ```YAML @@ -5413,6 +5411,6 @@ components: type: string ``` -In this example, All of the `$self` and `$id` values are relative URI-references consisting of an absolute path. +In this example, all of the `$self` and `$id` values are relative URI-references consisting of an absolute path. This allows the retrieval URL to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). From eace593a1105f83945827f338e341d766052dae2 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 12 May 2025 13:40:41 -0700 Subject: [PATCH 151/342] Better wording Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f30e257b0b..28638b4a6b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5251,7 +5251,7 @@ components: In this example, the retrieval URIs are irrelevant because both documents define `$self`. -For the relative `$ref` in the first document, it is resolved against `$self` to produce `https://example.com/api/shared/foo#/components/requestBodies/Foo`. +The relative `$ref` in the first document is resolved against `$self` to produce `https://example.com/api/shared/foo#/components/requestBodies/Foo`. The portion of that URI before the '#' matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/api/schemas/foo`. From 8709e12e02a542c306fd0aa08a15c71d54a152ad Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 12 May 2025 13:48:49 -0700 Subject: [PATCH 152/342] Review feedback --- src/oas.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index 28638b4a6b..4f65661c05 100644 --- a/src/oas.md +++ b/src/oas.md @@ -420,8 +420,8 @@ This is the root object of the [OpenAPI Description](#openapi-description). This object MAY be extended with [Specification Extensions](#specification-extensions). -Implementations MAY choose to support referencing OpenAPI Documents that contain `$self` by another URI such as the retrieval URI, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. -OAD authors MUST write references using the target document's `$self` URI in order to have interoperable behavior. +To ensure interoperability, references MUST use the target document's `$self` URI if the `$self` field is present. +Implementations MAY choose to support referencing by other URIs such as the retrieval URI even when `$self` is present, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. #### Info Object @@ -5258,11 +5258,10 @@ In that document, the `$ref` in the Request Body Object is resolved using that d This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/api/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. -Note that referring to a schema with a JSON Pointer that crosses a Schema Object with a `$id` [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). -The JSON Schema specification does not address the case of using a pointer _to_ a Schema Object containing an `$id` without crossing into that Schema Object. -Therefore it is RECOMMENDED that OAD authors use `$id` values to reference such schemas rather than JSON Pointers. +To guarantee interoperability, Schema Objects containing an `$id`, or that are under a schema containing an `$id`, MUST be referenced by the nearest such `$id` for the non-fragment part of the reference. +As the JSON Schema specification notes, using a base URI other than the nearest `$id` and crossing that `$id` with a JSON Pointer fragment [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). -Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using a JSON Pointer, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using _only_ a JSON Pointer fragment, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. ### Base URI From Encapsulating Entity @@ -5367,7 +5366,7 @@ While this sort of internal resolution an be performed in practice without choos ### Resolving Relative `$self` and `$id` -Let's re-consider the first example in this appendix, but with relative URI-references for `$self` and `$id`, and retrieval URLs that support that relative usage: +Let's re-consider the first example in this appendix, but with relative URI-references for `$self` and `$id`, and retrieval URIs that support that relative usage: Assume that the following is retrieved from `https://staging.example.com/api/openapi`: @@ -5412,5 +5411,5 @@ components: ``` In this example, all of the `$self` and `$id` values are relative URI-references consisting of an absolute path. -This allows the retrieval URL to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. +This allows the retrieval URI to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). From fc66d13ac94d2b09a623d4cec59f0f83ed86102a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 12 May 2025 13:54:36 -0700 Subject: [PATCH 153/342] Remove link to metaschema... ...because the YYYY-MM-DD in the URI makes it more trouble than it's worth. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4f65661c05..a548d0701c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5297,7 +5297,7 @@ components: bar: $ref: schemas/bar --boundary-example -Content-Type: application/schema+json; schema=https://spec.openapis.org/oas/3.2/schema-base/YYYY-MM-DD +Content-Type: application/schema+json Content-Location: https://example.com/api/schemas/bar { From 2c4d5ed02686487d7c7134f174ac25fda35d4a57 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 13 May 2025 16:00:19 -0700 Subject: [PATCH 154/342] Only use YAML for examples We still use JSON for example payloads, and there is one example in Appendix F that discusses retrieving OADs by content type, so those continue to show JSON. Also standardize on lowercase language names for fenced code blocks, as that was more common (I think the uppercase ones were mostly added by me). --- src/oas.md | 1167 +--------------------------------------------------- 1 file changed, 22 insertions(+), 1145 deletions(-) diff --git a/src/oas.md b/src/oas.md index f2e4eeb749..f54e803257 100644 --- a/src/oas.md +++ b/src/oas.md @@ -152,14 +152,7 @@ Occasionally, non-backwards compatible changes may be made in `minor` versions o ### Format An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. - -For example, if a field has an array value, the JSON array representation will be used: - -```json -{ - "field": [1, 2, 3] -} -``` +Examples in this specification will be shown in YAML for brevity. All field names in the specification are **case sensitive**. This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. @@ -409,25 +402,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Info Object Example -```json -{ - "title": "Example Pet Store App", - "summary": "A pet store manager.", - "description": "This is an example server for a pet store.", - "termsOfService": "https://example.com/terms/", - "contact": { - "name": "API Support", - "url": "https://www.example.com/support", - "email": "support@example.com" - }, - "license": { - "name": "Apache 2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0.html" - }, - "version": "1.0.1" -} -``` - ```yaml title: Example Pet Store App summary: A pet store manager. @@ -459,14 +433,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Contact Object Example -```json -{ - "name": "API Support", - "url": "https://www.example.com/support", - "email": "support@example.com" -} -``` - ```yaml name: API Support url: https://www.example.com/support @@ -489,13 +455,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### License Object Example -```json -{ - "name": "Apache 2.0", - "identifier": "Apache-2.0" -} -``` - ```yaml name: Apache 2.0 identifier: Apache-2.0 @@ -520,14 +479,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten A single server would be described as: -```json -{ - "url": "https://development.gigantic-server.com/v1", - "description": "Development server", - "name": "dev" -} -``` - ```yaml url: https://development.gigantic-server.com/v1 description: Development server @@ -536,28 +487,6 @@ name: dev The following shows how multiple servers can be described, for example, at the OpenAPI Object's [`servers`](#oas-servers): -```json -{ - "servers": [ - { - "url": "https://development.gigantic-server.com/v1", - "description": "Development server", - "name": "dev" - }, - { - "url": "https://staging.gigantic-server.com/v1", - "description": "Staging server", - "name": "staging" - }, - { - "url": "https://api.gigantic-server.com/v1", - "description": "Production server", - "name": "prod" - } - ] -} -``` - ```yaml servers: - url: https://development.gigantic-server.com/v1 @@ -573,31 +502,6 @@ servers: The following shows how variables can be used for a server configuration: -```json -{ - "servers": [ - { - "url": "https://{username}.gigantic-server.com:{port}/{basePath}", - "description": "The production API server", - "name": "prod", - "variables": { - "username": { - "default": "demo", - "description": "A user-specific subdomain. Use `demo` for a free sandbox environment." - }, - "port": { - "enum": ["8443", "443"], - "default": "8443" - }, - "basePath": { - "default": "v2" - } - } - } - ] -} -``` - ```yaml servers: - url: https://{username}.gigantic-server.com:{port}/{basePath} @@ -695,108 +599,6 @@ my.org.User ##### Components Object Example -```json -"components": { - "schemas": { - "GeneralError": { - "type": "object", - "properties": { - "code": { - "type": "integer", - "format": "int32" - }, - "message": { - "type": "string" - } - } - }, - "Category": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - } - }, - "Tag": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - } - } - }, - "parameters": { - "skipParam": { - "name": "skip", - "in": "query", - "description": "number of items to skip", - "required": true, - "schema": { - "type": "integer", - "format": "int32" - } - }, - "limitParam": { - "name": "limit", - "in": "query", - "description": "max records to return", - "required": true, - "schema" : { - "type": "integer", - "format": "int32" - } - } - }, - "responses": { - "NotFound": { - "description": "Entity not found." - }, - "IllegalInput": { - "description": "Illegal input for operation." - }, - "GeneralError": { - "description": "General Error", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/GeneralError" - } - } - } - } - }, - "securitySchemes": { - "api_key": { - "type": "apiKey", - "name": "api-key", - "in": "header" - }, - "petstore_auth": { - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.org/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } - } - } -} -``` - ```yaml components: schemas: @@ -905,31 +707,6 @@ The following may lead to ambiguous resolution: ##### Paths Object Example -```json -{ - "/pets": { - "get": { - "description": "Returns all pets from the system that the user has access to", - "responses": { - "200": { - "description": "A list of pets.", - "content": { - "application/json": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/pet" - } - } - } - } - } - } - } - } -} -``` - ```yaml /pets: get: @@ -975,88 +752,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Path Item Object Example -```json -{ - "get": { - "description": "Returns pets based on ID", - "summary": "Find pets by ID", - "operationId": "getPetsById", - "responses": { - "200": { - "description": "pet response", - "content": { - "*/*": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Pet" - } - } - } - } - }, - "default": { - "description": "error payload", - "content": { - "text/html": { - "schema": { - "$ref": "#/components/schemas/ErrorModel" - } - } - } - } - } - }, - "parameters": [ - { - "name": "id", - "in": "path", - "description": "ID of pet to use", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "string" - } - }, - "style": "simple" - } - ], - "additionalOperations": { - "COPY": { - "description": "Copies pet information based on ID", - "summary": "Copies pets by ID", - "operationId": "copyPetsById", - "responses": { - "200": { - "description": "pet response", - "content": { - "*/*": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Pet" - } - } - } - } - }, - "default": { - "description": "error payload", - "content": { - "text/html": { - "schema": { - "$ref": "#/components/schemas/ErrorModel" - } - } - } - } - } - } - } -} -``` - ```yaml get: description: Returns pets based on ID @@ -1134,66 +829,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Operation Object Example -```json -{ - "tags": ["pet"], - "summary": "Updates a pet in the store with form data", - "operationId": "updatePetWithForm", - "parameters": [ - { - "name": "petId", - "in": "path", - "description": "ID of pet that needs to be updated", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/x-www-form-urlencoded": { - "schema": { - "type": "object", - "properties": { - "name": { - "description": "Updated name of the pet", - "type": "string" - }, - "status": { - "description": "Updated status of the pet", - "type": "string" - } - }, - "required": ["status"] - } - } - } - }, - "responses": { - "200": { - "description": "Pet updated.", - "content": { - "application/json": {}, - "application/xml": {} - } - }, - "405": { - "description": "Method Not Allowed", - "content": { - "application/json": {}, - "application/xml": {} - } - } - }, - "security": [ - { - "petstore_auth": ["write:pets", "read:pets"] - } - ] -} -``` - ```yaml tags: - pet @@ -1252,13 +887,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### External Documentation Object Example -```json -{ - "description": "Find more info here", - "url": "https://example.com" -} -``` - ```yaml description: Find more info here url: https://example.com @@ -1388,23 +1016,6 @@ The following table shows examples, as would be shown with the `example` or `exa A header parameter with an array of 64-bit integer numbers: -```json -{ - "name": "token", - "in": "header", - "description": "token to be passed as a header", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "style": "simple" -} -``` - ```yaml name: token in: header @@ -1420,18 +1031,6 @@ style: simple A path parameter of a string value: -```json -{ - "name": "username", - "in": "path", - "description": "username to fetch", - "required": true, - "schema": { - "type": "string" - } -} -``` - ```yaml name: username in: path @@ -1443,23 +1042,6 @@ schema: An optional query parameter of a string value, allowing multiple values by repeating the query parameter: -```json -{ - "name": "id", - "in": "query", - "description": "ID of the object to fetch", - "required": false, - "schema": { - "type": "array", - "items": { - "type": "string" - } - }, - "style": "form", - "explode": true -} -``` - ```yaml name: id in: query @@ -1475,20 +1057,6 @@ explode: true A free-form query parameter, allowing undefined parameters of a specific type: -```json -{ - "in": "query", - "name": "freeForm", - "schema": { - "type": "object", - "additionalProperties": { - "type": "integer" - } - }, - "style": "form" -} -``` - ```yaml in: query name: freeForm @@ -1501,29 +1069,6 @@ style: form A complex parameter using `content` to define serialization: -```json -{ - "in": "query", - "name": "coordinates", - "content": { - "application/json": { - "schema": { - "type": "object", - "required": ["lat", "long"], - "properties": { - "lat": { - "type": "number" - }, - "long": { - "type": "number" - } - } - } - } - } -} -``` - ```yaml in: query name: coordinates @@ -1559,52 +1104,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten A request body with a referenced schema definition. -```json -{ - "description": "user to add to the system", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/User" - }, - "examples": { - "user": { - "summary": "User Example", - "externalValue": "https://foo.bar/examples/user-example.json" - } - } - }, - "application/xml": { - "schema": { - "$ref": "#/components/schemas/User" - }, - "examples": { - "user": { - "summary": "User example in XML", - "externalValue": "https://foo.bar/examples/user-example.xml" - } - } - }, - "text/plain": { - "examples": { - "user": { - "summary": "User example in Plain text", - "externalValue": "https://foo.bar/examples/user-example.txt" - } - } - }, - "*/*": { - "examples": { - "user": { - "summary": "User example in other format", - "externalValue": "https://foo.bar/examples/user-example.whatever" - } - } - } - } -} -``` - ```yaml description: user to add to the system content: @@ -1689,7 +1188,7 @@ Note that `contentSchema` is [not automatically validated by default](https://ww The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the HTML specification as of the time of this writing: -```YAML +```yaml type: object required: - data @@ -1800,7 +1299,7 @@ Note that the media types for JSON Lines and NDJSON are not registered with the The following example shows Media Type Objects for both streaming log entries and returning a fixed-length set in response to a query. This shows the relationship between `schema` and `itemSchema`, and when to use each even though the `examples` field is the same either way. -```YAML +```yaml components: schemas: LogEntry: @@ -1887,7 +1386,7 @@ components: Our `application/json-seq` example has to be an external document because of the use of both newlines and of the unprintable Record Separator (`0x1E`) character, which cannot be escaped in YAML block literals: -```JSONSEQ +```jsonseq 0x1E{ "timestamp": "1985-04-12T23:20:50.52Z", "level": 1, @@ -1904,7 +1403,7 @@ Our `application/json-seq` example has to be an external document because of the For this example, assume that the generic event schema provided in the "Special Considerations for `text/event-stream` Content" section is available at `#/components/schemas/Event`: -```YAML +```yaml description: A request body to add a stream of typed data. required: true content: @@ -1947,7 +1446,7 @@ content: The following `text/event-stream` document is an example of a valid request body for the above example: -```EVENTSTREAM +```eventstream event: addString data: This data is formatted data: across two lines @@ -1964,7 +1463,7 @@ data: {"foo": 42} To more clearly see how this stream is handled, the following is the equivalent JSON Lines document, which shows how the numeric and JSON data are handled as strings, and how unknown fields and comments are ignored and not passed to schema validation: -```JSONL +```jsonl {"event": "addString", "data": "This data is formatted\nacross two lines", "retry": 5} {"event": "addInt64", "data": "1234.5678"} {"event": "addJSON", "data": "{\"foo\": 42}"} @@ -2129,7 +1628,7 @@ id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 Note that `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: -```YAML +```yaml requestBody: content: application/x-www-form-urlencoded: @@ -2299,31 +1798,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten A 200 response for a successful operation and a default response for others (implying an error): -```json -{ - "200": { - "description": "a pet to be returned", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/Pet" - } - } - } - }, - "default": { - "description": "Unexpected error", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/ErrorModel" - } - } - } - } -} -``` - ```yaml '200': description: a pet to be returned @@ -2359,22 +1833,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten Response of an array of a complex type: -```json -{ - "description": "A complex object array response", - "content": { - "application/json": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/VeryComplexType" - } - } - } - } -} -``` - ```yaml description: A complex object array response content: @@ -2387,19 +1845,6 @@ content: Response with a string type: -```json -{ - "description": "A simple string response", - "content": { - "text/plain": { - "schema": { - "type": "string" - } - } - } -} -``` - ```yaml description: A simple string response content: @@ -2410,40 +1855,6 @@ content: Plain text response with headers: -```json -{ - "description": "A simple string response", - "content": { - "text/plain": { - "schema": { - "type": "string" - }, - "example": "whoa!" - } - }, - "headers": { - "X-Rate-Limit-Limit": { - "description": "The number of allowed requests in the current period", - "schema": { - "type": "integer" - } - }, - "X-Rate-Limit-Remaining": { - "description": "The number of remaining requests in the current period", - "schema": { - "type": "integer" - } - }, - "X-Rate-Limit-Reset": { - "description": "The number of seconds left in the current period", - "schema": { - "type": "integer" - } - } - } -} -``` - ```yaml description: A simple string response content: @@ -2468,12 +1879,6 @@ headers: Response with no return value: -```json -{ - "description": "object created" -} -``` - ```yaml description: object created ``` @@ -2680,20 +2085,6 @@ Two different uses of JSON strings: First, a request or response body that is just a JSON string (not an object containing a string): -```json -"application/json": { - "schema": { - "type": "string" - }, - "examples": { - "jsonBody": { - "description": "A body of just the JSON string \"json\"", - "value": "json" - } - } -} -``` - ```yaml application/json: schema: @@ -2708,30 +2099,6 @@ In the above example, we can just show the JSON string (or any JSON value) as-is In contrast, a JSON string encoded inside of a URL-style form body: -```json -"application/x-www-form-urlencoded": { - "schema": { - "type": "object", - "properties": { - "jsonValue": { - "type": "string" - } - } - }, - "encoding": { - "jsonValue": { - "contentType": "application/json" - } - }, - "examples": { - "jsonFormValue": { - "description": "The JSON string \"json\" as a form value", - "value": "jsonValue=%22json%22" - } - } -} -``` - ```yaml application/x-www-form-urlencoded: schema: @@ -2980,15 +2347,6 @@ Using `content` with a `text/plain` media type is RECOMMENDED for headers where A simple header of type `integer`: -```json -"X-Rate-Limit-Limit": { - "description": "The number of allowed requests in the current period", - "schema": { - "type": "integer" - } -} -``` - ```yaml X-Rate-Limit-Limit: description: The number of allowed requests in the current period @@ -2998,20 +2356,6 @@ X-Rate-Limit-Limit: Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: -```json -"ETag": { - "required": true, - "content": { - "text/plain": { - "schema": { - "type": "string", - "pattern": "^\"" - } - } - } -} -``` - ```yaml ETag: required: true @@ -3042,30 +2386,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### Tag Object Example -```json -"tags": [ - { - "name": "account-updates", - "summary": "Account Updates", - "description": "Account update operations", - "kind": "nav" - }, - { - "name": "partner", - "summary": "Partner", - "description": "Operations available to the partners network", - "parent": "external", - "kind": "audience" - }, - { - "name": "external", - "summary": "External", - "description": "Operations available to external consumers", - "kind": "audience" - } -] -``` - ```yaml tags: - name: account-updates @@ -3107,36 +2427,18 @@ Note that this restriction on additional properties is a difference between Refe ##### Reference Object Example -```json -{ - "$ref": "#/components/schemas/Pet" -} -``` - ```yaml $ref: '#/components/schemas/Pet' ``` ##### Relative Schema Document Example -```json -{ - "$ref": "Pet.json" -} -``` - ```yaml $ref: Pet.yaml ``` ##### Relative Documents with Embedded Schema Example -```json -{ - "$ref": "definitions.json#/Pet" -} -``` - ```yaml $ref: definitions.yaml#/Pet ``` @@ -3258,13 +2560,6 @@ However, for maximum interoperability, it is RECOMMENDED that OpenAPI descriptio ###### Primitive Example -```json -{ - "type": "string", - "format": "email" -} -``` - ```yaml type: string format: email @@ -3272,26 +2567,6 @@ format: email ###### Simple Model -```json -{ - "type": "object", - "required": ["name"], - "properties": { - "name": { - "type": "string" - }, - "address": { - "$ref": "#/components/schemas/Address" - }, - "age": { - "type": "integer", - "format": "int32", - "minimum": 0 - } - } -} -``` - ```yaml type: object required: @@ -3311,15 +2586,6 @@ properties: For a simple string to string mapping: -```json -{ - "type": "object", - "additionalProperties": { - "type": "string" - } -} -``` - ```yaml type: object additionalProperties: @@ -3328,15 +2594,6 @@ additionalProperties: For a string to model mapping: -```json -{ - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/ComplexModel" - } -} -``` - ```yaml type: object additionalProperties: @@ -3345,23 +2602,6 @@ additionalProperties: ###### Model with Annotated Enumeration -```json -{ - "oneOf": [ - { - "const": "RGB", - "title": "Red, Green, Blue", - "description": "Specify colors with the red, green, and blue additive color model" - }, - { - "const": "CMYK", - "title": "Cyan, Magenta, Yellow, Black", - "description": "Specify colors with the cyan, magenta, yellow, and black subtractive color model" - } - ] -} -``` - ```yaml oneOf: - const: RGB @@ -3374,28 +2614,6 @@ oneOf: ###### Model with Example -```json -{ - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - }, - "required": ["name"], - "examples": [ - { - "name": "Puma", - "id": 1 - } - ] -} -``` - ```yaml type: object properties: @@ -3413,45 +2631,6 @@ examples: ###### Models with Composition -```json -{ - "components": { - "schemas": { - "ErrorModel": { - "type": "object", - "required": ["message", "code"], - "properties": { - "message": { - "type": "string" - }, - "code": { - "type": "integer", - "minimum": 100, - "maximum": 600 - } - } - }, - "ExtendedErrorModel": { - "allOf": [ - { - "$ref": "#/components/schemas/ErrorModel" - }, - { - "type": "object", - "required": ["rootCause"], - "properties": { - "rootCause": { - "type": "string" - } - } - } - ] - } - } - } -} -``` - ```yaml components: schemas: @@ -3637,69 +2816,7 @@ components: ###### Generic Data Structure Model -```JSON -{ - "components": { - "schemas": { - "genericArrayComponent": { - "$id": "fully_generic_array", - "type": "array", - "items": { - "$dynamicRef": "#generic-array" - }, - "$defs": { - "allowAll": { - "$dynamicAnchor": "generic-array" - } - } - }, - "numberArray": { - "$id": "array_of_numbers", - "$ref": "fully_generic_array", - "$defs": { - "numbersOnly": { - "$dynamicAnchor": "generic-array", - "type": "number" - } - } - }, - "stringArray": { - "$id": "array_of_strings", - "$ref": "fully_generic_array", - "$defs": { - "stringsOnly": { - "$dynamicAnchor": "generic-array", - "type": "string" - } - } - }, - "objWithTypedArray": { - "$id": "obj_with_typed_array", - "type": "object", - "required": ["dataType", "data"], - "properties": { - "dataType": { - "enum": ["string", "number"] - } - }, - "oneOf": [{ - "properties": { - "dataType": {"const": "string"}, - "data": {"$ref": "array_of_strings"} - } - }, { - "properties": { - "dataType": {"const": "number"}, - "data": {"$ref": "array_of_numbers"} - } - }] - } - } - } -} -``` - -```YAML +```yaml components: schemas: genericArrayComponent: @@ -3990,14 +3107,6 @@ The JSON and YAML representations of the `properties` value are followed by an e Basic string property: -```json -{ - "animals": { - "type": "string" - } -} -``` - ```yaml animals: type: string @@ -4009,17 +3118,6 @@ animals: Basic string array property ([`wrapped`](#xml-wrapped) is `false` by default): -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - } - } -} -``` - ```yaml animals: type: array @@ -4035,17 +3133,6 @@ animals: ###### XML Name Replacement -```json -{ - "animals": { - "type": "string", - "xml": { - "name": "animal" - } - } -} -``` - ```yaml animals: type: string @@ -4061,30 +3148,6 @@ animals: In this example, a full model definition is shown. -```json -{ - "Person": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "xml": { - "attribute": true - } - }, - "name": { - "type": "string", - "xml": { - "namespace": "https://example.com/schema/sample", - "prefix": "sample" - } - } - } - } -} -``` - ```yaml Person: type: object @@ -4111,20 +3174,6 @@ Person: Changing the element names: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - } - } -} -``` - ```yaml animals: type: array @@ -4141,23 +3190,6 @@ animals: The external `name` field has no effect on the XML: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "name": "aliens" - } - } -} -``` - ```yaml animals: type: array @@ -4176,20 +3208,6 @@ animals: Even when the array is wrapped, if a name is not explicitly defined, the same name will be used both internally and externally: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - }, - "xml": { - "wrapped": true - } - } -} -``` - ```yaml animals: type: array @@ -4208,23 +3226,6 @@ animals: To overcome the naming problem in the example above, the following definition can be used: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "wrapped": true - } - } -} -``` - ```yaml animals: type: array @@ -4245,24 +3246,6 @@ animals: Affecting both internal and external names: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "name": "aliens", - "wrapped": true - } - } -} -``` - ```yaml animals: type: array @@ -4284,21 +3267,6 @@ animals: If we change the external element but not the internal ones: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - }, - "xml": { - "name": "aliens", - "wrapped": true - } - } -} -``` - ```yaml animals: type: array @@ -4344,13 +3312,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ###### Basic Authentication Example -```json -{ - "type": "http", - "scheme": "basic" -} -``` - ```yaml type: http scheme: basic @@ -4358,14 +3319,6 @@ scheme: basic ###### API Key Example -```json -{ - "type": "apiKey", - "name": "api-key", - "in": "header" -} -``` - ```yaml type: apiKey name: api-key @@ -4374,14 +3327,6 @@ in: header ###### JWT Bearer Example -```json -{ - "type": "http", - "scheme": "bearer", - "bearerFormat": "JWT" -} -``` - ```yaml type: http scheme: bearer @@ -4390,13 +3335,6 @@ bearerFormat: JWT ###### MutualTLS Example -```json -{ - "type": "mutualTLS", - "description": "Cert must be signed by example.com CA" -} -``` - ```yaml type: mutualTLS description: Cert must be signed by example.com CA @@ -4404,21 +3342,6 @@ description: Cert must be signed by example.com CA ###### Implicit OAuth2 Example -```json -{ - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } -} -``` - ```yaml type: oauth2 flows: @@ -4463,29 +3386,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### OAuth Flow Object Example -```JSON -{ - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - }, - "authorizationCode": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "tokenUrl": "https://example.com/api/oauth/token", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } -} -``` - ```yaml type: oauth2 flows: @@ -4532,12 +3432,6 @@ See also [Appendix F: Resolving Security Requirements in a Referenced Document]( ###### Non-OAuth2 Security Requirement -```json -{ - "api_key": [] -} -``` - ```yaml api_key: [] ``` @@ -4546,12 +3440,6 @@ api_key: [] This example uses a component name for the Security Scheme. -```json -{ - "petstore_auth": ["write:pets", "read:pets"] -} -``` - ```yaml petstore_auth: - write:pets @@ -4564,17 +3452,6 @@ This example uses a relative URI reference for the Security Scheme. Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object: -```json -{ - "security": [ - {}, - { - "#/components/securitySchemes/petstore_auth": ["write:pets", "read:pets"] - } - ] -} -``` - ```yaml security: - {} @@ -4737,7 +3614,7 @@ Certain field values translate to RFC6570 [operators](https://datatracker.ietf.o Multiple `style: "form"` parameters are equivalent to a single RFC6570 [variable list](https://www.rfc-editor.org/rfc/rfc6570#section-2.2) using the `?` prefix operator: -```YAML +```yaml parameters: - name: foo in: query @@ -4782,7 +3659,7 @@ A parameter name that includes characters outside of the allowed RFC6570 variabl Let's say we want to use the following data in a form query string, where `formulas` is exploded, and `words` is not: -```YAML +```yaml formulas: a: x+y b: x/y @@ -4797,7 +3674,7 @@ words: This array of Parameter Objects uses regular `style: "form"` expansion, fully supported by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570): -```YAML +```yaml parameters: - name: formulas in: query @@ -4831,7 +3708,7 @@ when expanded with the data given earlier, we get: But now let's say that (for some reason), we really want that `/` in the `b` formula to show up as-is in the query string, and we want our words to be space-separated like in a written phrase. To do that, we'll add `allowReserved: true` to `formulas`, and change to `style: "spaceDelimited"` for `words`: -```YAML +```yaml parameters: - name: formulas in: query @@ -4871,7 +3748,7 @@ See also [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for fur So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): -```YAML +```yaml a: x%2By b: x/y c: x^y @@ -4892,7 +3769,7 @@ The `/` and the pre-percent-encoded `%2B` have been left alone, but the disallow Care must be taken when manually constructing templates to handle the values that RFC6570 [considers to be _undefined_](https://datatracker.ietf.org/doc/html/rfc6570#section-2.3) correctly: -```YAML +```yaml formulas: {} words: - hello @@ -4909,7 +3786,7 @@ This means that the manually constructed URI Template and restructured data need Restructured data: -```YAML +```yaml words.0: hello words.1: world ``` @@ -4930,7 +3807,7 @@ Result: In this example, the heart emoji is not legal in URI Template names (or URIs): -```YAML +```yaml parameters: - name: ❤️ in: query @@ -4941,7 +3818,7 @@ parameters: We can't just pass `❤️: "love!"` to an RFC6570 implementation. Instead, we have to pre-percent-encode the name (which is a six-octet UTF-8 sequence) in both the data and the URI Template: -```YAML +```yaml "%E2%9D%A4%EF%B8%8F": love! ``` @@ -5072,7 +3949,7 @@ This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI De First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: -```HTTP +```http GET /api/description/openapi HTTP/1.1 Host: www.example.com Accept: application/openapi+json @@ -5095,7 +3972,7 @@ Accept: application/openapi+json } ``` -```HTTP +```http GET /api/description/openapi HTTP/1.1 Host: www.example.com Accept: application/openapi+yaml @@ -5115,7 +3992,7 @@ paths: This entry document references another document, `other`, without using a file extension. This gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: -```HTTP +```http GET /api/description/other HTTP/1.1 Host: www.example.com Accept: application/openapi+json @@ -5141,7 +4018,7 @@ Accept: application/openapi+json } ``` -```HTTP +```http GET /api/description/other HTTP/1.1 Host: www.example.com Accept: application/openapi+yaml From 5fdd275f717461cf00b1389aefebcfeb8258c12c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 14 May 2025 11:13:22 -0700 Subject: [PATCH 155/342] Allow IRIs for XML namespaces XML allows IRIs for namespaces, and compares them without any encoding or decoding. This means that our requirement that namespaces are URIs will cause comparisons with other tools that use IRIs (without mapping them down to URIs) to fail. This change relaxes the description and allows the use of unencoded IRIs. --- src/oas.md | 7 +++---- src/schemas/validation/meta.yaml | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index f2e4eeb749..44adb5e864 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3968,7 +3968,7 @@ See examples for expected behavior. | Field Name | Type | Description | | ---- | :----: | ---- | | name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | -| namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. | +| namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | | attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | | wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). | @@ -3977,9 +3977,8 @@ This object MAY be extended with [Specification Extensions](#specification-exten The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: -* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. -* XML allows but discourages relative URI-references, while this specification outright forbids them. -* XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. +* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI" ("non-relative IRI" as of OAS v3.2.0), so authors using namespaces that include a fragment should check tooling support carefully. +* XML allows but discourages relative IRI-references, while this specification outright forbids them. ##### XML Object Examples diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index eb6a9af2dd..491190a221 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -60,7 +60,7 @@ $defs: name: type: string namespace: - format: uri + format: iri type: string prefix: type: string From e077fcec3e1667248a1d59e94a601b7e849c232b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 28 Apr 2025 22:21:10 -0700 Subject: [PATCH 156/342] Add in: "querystring" parameter location This allows treating the entire query string as a single parameter, which for `application/x-www-form-urlencoded` results in it being handled exactly as request bodies of that media type are handled. Only one `in: "querystring"` is allowed per operation, and if it is present, no `in: "query"` parameters are allowed. The `content` field MUST be used for `in: "querystring"`, as the `style` and related fields are handled in the Encoding Object. This also includes a recommendation that implementors design media types for complex query string formats such as those defined by various frameworks, and register a procedure for supporting them in our media type registry. This is intended to address a slow but steady trickle of requests to support various complex and often contradictory query string formats. --- src/oas.md | 54 ++++++++++++++++++++++++++++-- src/schemas/validation/schema.yaml | 39 +++++++++++++++------ 2 files changed, 79 insertions(+), 14 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9151acac30..838c3eba53 100644 --- a/src/oas.md +++ b/src/oas.md @@ -905,7 +905,8 @@ See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detail There are four possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. -* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`. +* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation as an `in: "querystring"` parameter. +* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation with any `in: "query"` parameters. * header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. @@ -921,8 +922,8 @@ These fields MAY be used with either `content` or `schema`. | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| -| in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"header"`, `"path"` or `"cookie"`. | +| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| +| in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"querystring"`, `"header"`, `"path"` or `"cookie"`. | | description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | | deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | @@ -938,6 +939,8 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +These fields MUST NOT be used with `in: "querystring"`. + Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: "header"` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: "header"` parameters where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. | Field Name | Type | Description | @@ -956,6 +959,8 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate. +For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type). + | Field Name | Type | Description | | ---- | :----: | ---- | | content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | @@ -1012,6 +1017,16 @@ The following table shows examples, as would be shown with the `example` or `exa | deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +##### Extending Support for Querystring Formats + +Many frameworks define query string syntax for complex values, such as appending array indices to parameter names or indicating multiple levels of of nested objects, which go well beyond the capabilities of the `deepObject` style. + +As these are not standards, and often contradict each other, the OAS does not attempt to support them directly. +Two avenues are available for supporting such formats with `in: querystring`: + +* Use `content` and `text/plain` with a schema of `type: string` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option +* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and submit a registration for how it can be supported (using `in: "querystring"` and the `content` field) to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). + ##### Parameter Object Examples A header parameter with an array of 64-bit integer numbers: @@ -1086,6 +1101,39 @@ content: type: number ``` +A querystring parameter that uses JSON for the entire string (not as a single query parameter value): + +```yaml +in: querystring +name: json +content: + application/json: + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object +``` + +A querystring parameter that uses JSONPath: + +```yaml +in: querystring +name: sql +content: + application/jsonpath: + schema: + type: string + example: $.a.b[1:1] +``` + +As there is not currently a defined mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. + +Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporateing the value from the `example` field would be: + +```uri +https://example.com/foo?%24.a.b%5B1%3A1%5D +``` + #### Request Body Object Describes a single request body. diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index a963aedc2d..a2df957cf3 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -334,6 +334,7 @@ $defs: in: enum: - query + - querystring - header - path - cookie @@ -359,17 +360,33 @@ $defs: - schema - required: - content - if: - properties: - in: - const: query - required: - - in - then: - properties: - allowEmptyValue: - default: false - type: boolean + allOf: + - if: + properties: + in: + const: query + required: + - in + then: + properties: + allowEmptyValue: + default: false + type: boolean + - if: + properties: + in: + const: querystring + required: + - in + then: + required: + - content + not: + required: + - schema + - style + - explode + - allowReserved dependentSchemas: schema: properties: From bbb20ca46ebbd96850d20c83b9461195991637cb Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 17:30:12 -0700 Subject: [PATCH 157/342] Define a policy for deprecation markings. We already deprecate `example` in the Schema Object, but do not define what deprecations means. We also effectively deprecate `allowEmptyValue` in the Parameter Object but did not explictly say so. We will likely make other deprecations in the future. This defines a very basic deprecaton policy (they are still supported, but we reserve the right to define a policy for removing them in the future) and marks `allowEmptyValue` with the same formatting used for `example`. --- src/oas.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9151acac30..37c306e351 100644 --- a/src/oas.md +++ b/src/oas.md @@ -149,6 +149,14 @@ The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versionin Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. +#### Deprecation + +Certain fields or features may be marked **Deprecated**. +These fields and features remain part of the specification and can be used like any other field or feature. +However, OpenAPI Description authors should use newer fields and features documented to replace the deprecated ones whenever possible. + +At this time, such elements are expected to remain part of the OAS until the next major version, although a future minor version of this specification may define a policy for later removal of deprecated elements. + ### Format An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. @@ -926,7 +934,7 @@ These fields MAY be used with either `content` or `schema`. | description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | | deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | -| allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters. Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | +| allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters.

**Deprecated:** Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 721d714bfb6c522e2836a338c02416c0f432607c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 18:31:58 -0700 Subject: [PATCH 158/342] Allow allowReserved everywhere The restriction on `allowReserved` make some useful configurations impossible, and do not actually prevent pathological scenarios like path parameter values containing `/`, from occurring. Such pathological scenarios are already possible by using `content` instead of `style`/`explode`/`allowReserved`. Lifting the restriction also makes the handling of this field more consistent. --- src/oas.md | 8 +++++--- src/schemas/validation/schema.yaml | 6 +++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9151acac30..16aad6500c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -944,7 +944,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: | ---- | :----: | ---- | | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. This field only applies to parameters with an `in` value of `query`. The default value is `false`. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | | example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | @@ -1564,7 +1564,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | ---- | :----: | ---- | | style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. @@ -2299,7 +2299,7 @@ The Header Object follows the structure of the [Parameter Object](#parameter-obj 1. `name` MUST NOT be specified, it is given in the corresponding `headers` map. 1. `in` MUST NOT be specified, it is implicitly in `header`. -1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` and `allowReserved` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. +1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. ##### Fixed Fields @@ -3837,6 +3837,8 @@ This will expand to the result: [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. +In some cases, setting `allowReserved: true` will be sufficient to avoid incorret encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. + For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index a963aedc2d..b1b38f2d19 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -377,6 +377,9 @@ $defs: type: string explode: type: boolean + allowReserved: + default: false + type: boolean allOf: - $ref: '#/$defs/examples' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' @@ -435,9 +438,6 @@ $defs: - spaceDelimited - pipeDelimited - deepObject - allowReserved: - default: false - type: boolean styles-for-cookie: if: From 9a7d8cab77ff542759032de4ed9ee26b09d115a8 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 19:41:24 -0700 Subject: [PATCH 159/342] Better formatting --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 838c3eba53..4808af580c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1022,9 +1022,9 @@ The following table shows examples, as would be shown with the `example` or `exa Many frameworks define query string syntax for complex values, such as appending array indices to parameter names or indicating multiple levels of of nested objects, which go well beyond the capabilities of the `deepObject` style. As these are not standards, and often contradict each other, the OAS does not attempt to support them directly. -Two avenues are available for supporting such formats with `in: querystring`: +Two avenues are available for supporting such formats with `in: "querystring"`: -* Use `content` and `text/plain` with a schema of `type: string` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option +* Use `content` and `text/plain` with a schema of `type: "string"` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option * Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and submit a registration for how it can be supported (using `in: "querystring"` and the `content` field) to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). ##### Parameter Object Examples From 6571fb31830446b112735076fe618b073b660c8b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 16 May 2025 10:16:52 -0700 Subject: [PATCH 160/342] Fix Deprecation heading level --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 37c306e351..3e3fd8bf39 100644 --- a/src/oas.md +++ b/src/oas.md @@ -149,7 +149,7 @@ The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versionin Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. -#### Deprecation +### Deprecation Certain fields or features may be marked **Deprecated**. These fields and features remain part of the specification and can be used like any other field or feature. From 6e85994573a371bf940cf947c3d4d0e9551f72b5 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 16 May 2025 11:26:55 -0700 Subject: [PATCH 161/342] Fixed spelling Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 16aad6500c..eeeca64c7d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3837,7 +3837,7 @@ This will expand to the result: [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. -In some cases, setting `allowReserved: true` will be sufficient to avoid incorret encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. +In some cases, setting `allowReserved: true` will be sufficient to avoid incorrect encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. From 9fb0bbd080b56af05ce91933b39c77c805dbef84 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 18 May 2025 11:50:50 -0700 Subject: [PATCH 162/342] Align anchor with defaultMapping field name --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9151acac30..4587c76832 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2882,7 +2882,7 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. | ---- | :----: | ---- | | propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property MAY be defined as required or optional, but when defined as optional the Discriminator Object MUST include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when the discriminating property is not present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | -| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. | +| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. | This object MAY be extended with [Specification Extensions](#specification-extensions). From f35f66d61f2b1f6fb7d1098b5b3af471360318d3 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 21 May 2025 11:42:29 -0700 Subject: [PATCH 163/342] Improved wording Co-authored-by: Lorna Jane Mitchell --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4808af580c..bd7fb606a2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -906,7 +906,7 @@ There are four possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. * query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation as an `in: "querystring"` parameter. -* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation with any `in: "query"` parameters. +* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation as any `in: "query"` parameters. * header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. From 0b7c42de057b74090d06fd2d183ab5fad31fb872 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 22 May 2025 07:33:00 -0700 Subject: [PATCH 164/342] Improve querystring examples, link to registry Replace "no defined mapping" with "no registered mapping" and link to the section about the registry. --- src/oas.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index bd7fb606a2..dde28b58f6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1112,6 +1112,16 @@ content: # Allow an arbitrary JSON object to keep # the example simple type: object + example: { + "numbers": [1, 2], + "flag": null + } +``` + +Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporateing the value from the `example` field (with whitespace minimized) would be: + +```uri +https://example.com/foo?%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D ``` A querystring parameter that uses JSONPath: @@ -1126,7 +1136,7 @@ content: example: $.a.b[1:1] ``` -As there is not currently a defined mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. +As there is not, as of this writing, a [registered](#media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporateing the value from the `example` field would be: From ebf9a44676b4603c97ceb446576e98e80827ce74 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 27 May 2025 12:59:40 -0700 Subject: [PATCH 165/342] Apply suggestions from code review Co-authored-by: Karen Etheridge --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index dde28b58f6..d98ab8ed6e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1118,7 +1118,7 @@ content: } ``` -Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporateing the value from the `example` field (with whitespace minimized) would be: +Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from the `example` field (with whitespace minimized) would be: ```uri https://example.com/foo?%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D @@ -1138,7 +1138,7 @@ content: As there is not, as of this writing, a [registered](#media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. -Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporateing the value from the `example` field would be: +Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporating the value from the `example` field would be: ```uri https://example.com/foo?%24.a.b%5B1%3A1%5D From 634855e127dcfde51029ea12c61244a40854f957 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 27 May 2025 13:05:39 -0700 Subject: [PATCH 166/342] Fix example, optional registry usage It is not necessary to register a media type to use it with the `content` field. --- src/oas.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index d98ab8ed6e..cccddbad77 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1025,7 +1025,7 @@ As these are not standards, and often contradict each other, the OAS does not at Two avenues are available for supporting such formats with `in: "querystring"`: * Use `content` and `text/plain` with a schema of `type: "string"` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option -* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and submit a registration for how it can be supported (using `in: "querystring"` and the `content` field) to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). +* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and a process for mapping in-memory data to the serialized media type. To increase the likelihood of support across multiple tools, submit a registration for the media type and process to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). ##### Parameter Object Examples @@ -1112,10 +1112,9 @@ content: # Allow an arbitrary JSON object to keep # the example simple type: object - example: { - "numbers": [1, 2], - "flag": null - } + example: + # Shown with whitespace minimized + '{"numbers":[1,2],"flag":null}' ``` Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from the `example` field (with whitespace minimized) would be: From f87e13982e92b5cf66ac2a1630bc25c8c1fbc36a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 27 May 2025 18:10:34 -0700 Subject: [PATCH 167/342] Add "summary" field to Response Object --- src/oas.md | 1 + src/schemas/validation/schema.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/src/oas.md b/src/oas.md index 8438fdc14b..d83776bbe3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1831,6 +1831,7 @@ Describes a single response from an API operation, including design-time, static | Field Name | Type | Description | | ---- | :----: | ---- | +| summary | `string` | A short summary of the meaning of the response. | | description | `string` | A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | | content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index b1b38f2d19..ee6eb0c7ce 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -567,6 +567,8 @@ $defs: $comment: https://spec.openapis.org/oas/v3.2#response-object type: object properties: + summary: + type: string description: type: string headers: From 6370475934e506826784cef0101cca942b071d55 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 28 May 2025 15:28:52 -0700 Subject: [PATCH 168/342] Change example back This is at the Media Type Object level, and JSON examples are to be written as inline JSON/YAML. If we were at the Parameter Object level, we would use the URI percent-encoded string form, but the example field is not allowed with the content field. --- src/oas.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index cccddbad77..f4581af47a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1112,9 +1112,10 @@ content: # Allow an arbitrary JSON object to keep # the example simple type: object - example: - # Shown with whitespace minimized - '{"numbers":[1,2],"flag":null}' + example: { + "numbers": [1, 2], + "flag": null + } ``` Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from the `example` field (with whitespace minimized) would be: From bb32b97a1e491f6eca6d41033d456f3f0aefd9b9 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 29 May 2025 08:51:36 -0700 Subject: [PATCH 169/342] Don't call the JSONPath example parameter "sql" (It was originally a SQL example). --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f4581af47a..70ecc7aed4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1128,7 +1128,7 @@ A querystring parameter that uses JSONPath: ```yaml in: querystring -name: sql +name: selector content: application/jsonpath: schema: From a97eb1fbbb190da68d3020ead1f54251105b56d4 Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Sun, 1 Jun 2025 10:43:38 +0100 Subject: [PATCH 170/342] Tiny copyedit fix --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 547c82f42c..3df5572368 100644 --- a/src/oas.md +++ b/src/oas.md @@ -947,7 +947,7 @@ See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detail ##### Parameter Locations -There are four possible parameter locations specified by the `in` field: +There are five possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. * query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation as an `in: "querystring"` parameter. From 641d43e2ded5a99e4a40c2879dbb10c2d8e48695 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 5 Jun 2025 12:03:41 -0700 Subject: [PATCH 171/342] Strengthen generic data types to a SHOULD This was added as a MAY in 3.1.1 but we can make it a SHOULD in 3.2. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 3df5572368..569676d9a1 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2632,7 +2632,7 @@ There are two ways to define the value of a discriminating property for an inher ###### Generic (Template) Data Structures -Implementations MAY support defining generic or template data structures using JSON Schema's dynamic referencing feature: +Implementations SHOULD support defining generic or template data structures using JSON Schema's dynamic referencing feature: * `$dynamicAnchor` identifies a set of possible schemas (including a default placeholder schema) to which a `$dynamicRef` can resolve * `$dynamicRef` resolves to the first matching `$dynamicAnchor` encountered on its path from the schema entry point to the reference, as described in the JSON Schema specification From 17d36668541bc76894aabd3dfff1284e19d15a4a Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 5 Jun 2025 16:11:46 -0400 Subject: [PATCH 172/342] fix: adds missing schema reference as an option of parameter schema and media type schema/item schema Signed-off-by: Vincent Biret --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 3df5572368..ef2766b6e8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -993,7 +993,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | -| schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | +| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the parameter. | | example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | @@ -1249,8 +1249,8 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | Field Name | Type | Description | | ---- | :----: | ---- | -| schema | [Schema Object](#schema-object) | A schema describing the complete content of the request, response, parameter, or header. | -| itemSchema | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | +| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | A schema describing the complete content of the request, response, parameter, or header. | +| itemSchema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | | encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | From dff699ba8bb057d8956fe374e87c5f0bba841c9c Mon Sep 17 00:00:00 2001 From: Vincent Biret Date: Thu, 5 Jun 2025 16:30:38 -0400 Subject: [PATCH 173/342] fix: removes the reference object from headers schema Signed-off-by: Vincent Biret --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index ef2766b6e8..e1637a1cf0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -993,7 +993,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | -| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the parameter. | +| schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | | example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | @@ -1249,8 +1249,8 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | Field Name | Type | Description | | ---- | :----: | ---- | -| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | A schema describing the complete content of the request, response, parameter, or header. | -| itemSchema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | +| schema | [Schema Object](#schema-object) | A schema describing the complete content of the request, response, parameter, or header. | +| itemSchema | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | | encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | @@ -2433,7 +2433,7 @@ The `example` and `examples` fields are mutually exclusive, and if either is pre | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | -| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the header. | +| schema | [Schema Object](#schema-object) | The schema defining the type used for the header. | | example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | From be2b727ac21c0e59be12ef5294cb379f320b131d Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 9 Jun 2025 13:51:03 +0200 Subject: [PATCH 174/342] Typo --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 3df5572368..deb4a541f9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -108,7 +108,7 @@ The fourth repeats `application/geo+json`-structured values, while the last repe Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. -See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media type in a streaming context, including special considerations for `text/event-stream` content. +See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. #### Media Type Registry From aa48bead0dca1f7ea5bb716598dfeab9c9bc27d1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 9 Jun 2025 10:49:29 -0700 Subject: [PATCH 175/342] Example Object example updates --- src/oas.md | 143 +++++++++++++++++++++++------------------------------ 1 file changed, 63 insertions(+), 80 deletions(-) diff --git a/src/oas.md b/src/oas.md index 3df5572368..56dc93a5e7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2128,100 +2128,83 @@ With the Example Object, such values can alternatively be handled through the `e ##### Example Object Examples -In a request body: +###### JSON Examples -```yaml -requestBody: - content: - 'application/json': - schema: - $ref: '#/components/schemas/Address' - examples: - foo: - summary: A foo example - value: - foo: bar - bar: - summary: A bar example - value: - bar: baz - application/xml: - examples: - xmlExample: - summary: This is an example in XML - externalValue: https://example.org/examples/address-example.xml - text/plain: - examples: - textExample: - summary: This is a text example - externalValue: https://foo.bar/examples/address-example.txt -``` - -In a parameter: +When writing in YAML, JSON syntax can be used for `dataValue` (as shown in the `noRating` example) but is not required. +While this example shows the behavior of both `dataValue` and `serializedValue` for JSON (in the 'withRating` example), in most cases only the data form is needed. ```yaml -parameters: - - name: zipCode - in: query +content: + application/json: schema: - type: string - format: zip-code + type: object + required: + - author + - title + properties: + author: + type: string + title: + type: string + rating: + type: number + minimum: 1 + maximum: 5 + multipleOf: 0.5 examples: - zip-example: - $ref: '#/components/examples/zip-example' -``` - -In a response: + noRating: + summary: A not-yet-rated work + dataValue: { + "author": "A. Writer", + "title": "The Newest Book" + } + withRating: + summary: A work with an average rating of 4.5 stars + dataValue: + author: A. Writer + title: An Older Book + rating: 4.5 + serializedValue: | + { + "author": "A. Writer", + "title": "An Older Book", + "rating": 4.5 + } +``` + +###### Binary Examples + +This example shows both `externalDataValue` and `externalSerializedValue` to emphasize that no encoding is taking place, but it is also valid to show only one or the other. ```yaml -responses: - '200': - description: your car appointment has been booked - content: - application/json: - schema: - $ref: '#/components/schemas/SuccessResponse' - examples: - confirmation-success: - $ref: '#/components/examples/confirmation-success' -``` - -Two different uses of JSON strings: - -First, a request or response body that is just a JSON string (not an object containing a string): - -```yaml -application/json: - schema: - type: string - examples: - jsonBody: - description: 'A body of just the JSON string "json"' - value: json +content: + image/png: + schema: {} + examples: + Red: + externalDataValue: ./examples/2-by-2-red-pixels.png + serializedDataValue: ./examples/2-by-2-red-pixels.png ``` -In the above example, we can just show the JSON string (or any JSON value) as-is, rather than stuffing a serialized JSON value into a JSON string, which would have looked like `"\"json\""`. +###### Boolean Query Parameter Examples -In contrast, a JSON string encoded inside of a URL-style form body: +Since there is no standard for serializing boolean values (as discussed in [Appendix B](#appendix-b-data-type-conversion)), this example uses `dataValue` and `serializedValue` to show how booleans are serialized for this particular parameter: ```yaml -application/x-www-form-urlencoded: - schema: - type: object - properties: - jsonValue: - type: string - encoding: - jsonValue: - contentType: application/json - examples: - jsonFormValue: - description: 'The JSON string "json" as a form value' - value: jsonValue=%22json%22 +name: flag +in: query +required: true +schema: + type: boolean +examples: + "true": + dataValue: true + serializedValue: flag=true + "false": + dataValue: false + serializedValue: flag=false ``` -In this example, the JSON string had to be serialized before encoding it into the URL form value, so the example includes the quotation marks that are part of the JSON serialization, which are then URL percent-encoded. - #### Link Object The Link Object represents a possible design-time link for a response. From fb934ec767abffdcd72a12598c4ad184ca09d528 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 10 Jun 2025 12:21:37 -0700 Subject: [PATCH 176/342] Allow `allowReserved` in the Header Object We added it in the Parameter and Encoding Objects but forgot the Header Object (again). --- src/oas.md | 5 ++++- src/schemas/validation/schema.yaml | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 3df5572368..413d6dfb53 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2424,7 +2424,9 @@ This object MAY be extended with [Specification Extensions](#specification-exten For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. -Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +Serializing headers with `schema` can be problematic due to the URI percent-encoding that is automatically applied, which would percent-encode characters such as `;` that are used to separate primary header values from their parameters. +The `allowReserved` field can disable most but not all of this behavior. +See [Appendix D](#appendix-d-serializing-headers-and-cookies) for details and further guidance. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. @@ -2433,6 +2435,7 @@ The `example` and `examples` fields are mutually exclusive, and if either is pre | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | +| allowReserved | `boolean` | When this is true, header values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). See [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for guidance on header encoding and escaping. The default value is `false`. | | schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the header. | | example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 4b04f9a43f..9990fefb67 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -728,6 +728,9 @@ $defs: explode: default: false type: boolean + allowReserved: + default: false + type: boolean $ref: '#/$defs/examples' $ref: '#/$defs/specification-extensions' unevaluatedProperties: false From 427c88bc8c489f228368080b3ea3877ca49709ea Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 11 Jun 2025 20:43:19 +0200 Subject: [PATCH 177/342] Bring schema test coverage back to 100% Test cases for - Response Object with summary - $self - Parameter Object with in:querystring --- tests/schema/pass/info-object-example.yaml | 1 + tests/schema/pass/parameter-object-examples.yaml | 16 +++++++++++++++- tests/schema/pass/response-object-examples.yaml | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml index 2f1be1d6f5..1d36bef06c 100644 --- a/tests/schema/pass/info-object-example.yaml +++ b/tests/schema/pass/info-object-example.yaml @@ -1,5 +1,6 @@ # including External Documentation Object Example openapi: 3.2.0 +$self: https://example.com/openapi info: title: Example Pet Store App summary: A pet store manager. diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml index ba8fbc4886..ab5a00e612 100644 --- a/tests/schema/pass/parameter-object-examples.yaml +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -51,4 +51,18 @@ paths: lat: type: number long: - type: number \ No newline at end of file + type: number + /user: + parameters: + - in: querystring + name: json + content: + application/json: + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object + example: { + "numbers": [1, 2], + "flag": null + } \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml index 8c3edd7d0c..f55d5733ed 100644 --- a/tests/schema/pass/response-object-examples.yaml +++ b/tests/schema/pass/response-object-examples.yaml @@ -5,6 +5,7 @@ info: components: responses: complex-object-array: + summary: Complex object array description: A complex object array response content: application/json: From f05df35833c3b592b6575bcf83242cf1031475e5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 11 Jun 2025 18:30:45 -0700 Subject: [PATCH 178/342] Don't use `externalDataValue` for binary --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 56dc93a5e7..47d9a16913 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2174,7 +2174,7 @@ content: ###### Binary Examples -This example shows both `externalDataValue` and `externalSerializedValue` to emphasize that no encoding is taking place, but it is also valid to show only one or the other. +Fully binary data is shown using `serializedDataValue`: ```yaml content: @@ -2182,7 +2182,6 @@ content: schema: {} examples: Red: - externalDataValue: ./examples/2-by-2-red-pixels.png serializedDataValue: ./examples/2-by-2-red-pixels.png ``` From c59c1b18edea2d03a9d0bd2c03c1df400d1fbb2a Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 12 Jun 2025 21:49:17 +0200 Subject: [PATCH 179/342] Test case for allowReserved in Header Object --- tests/schema/pass/header-object-examples.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml index 2a23a8ff82..4122c75c61 100644 --- a/tests/schema/pass/header-object-examples.yaml +++ b/tests/schema/pass/header-object-examples.yaml @@ -22,4 +22,5 @@ components: schema: type: array style: simple - explode: true \ No newline at end of file + explode: true + allowReserved: true \ No newline at end of file From f9b0017867f41da4ff01277381a8e5d0c63fd214 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 16:01:14 -0700 Subject: [PATCH 180/342] Use matching jsonSchemaDialect Since we are testing with a placeholder, we need to match the placeholder. This will unfortunately need to be different on each new release line branch, so let's separate this test case into its own file. --- tests/schema/pass/json_schema_dialect.yaml | 15 +++++++++++++++ tests/schema/pass/mega.yaml | 1 - 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 tests/schema/pass/json_schema_dialect.yaml diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml new file mode 100644 index 0000000000..fa054c9b89 --- /dev/null +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -0,0 +1,15 @@ +openapi: 3.2.0 +info: + summary: Testing jsonSchemaDialect + title: My API + version: 1.0.0 + license: + name: Apache 2.0 + identifier: Apache-2.0 +jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS +components: + schemas: + WithDollarSchema: + $id: "locked-metaschema" + $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS +paths: {} diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index a0179b64bd..db953e866d 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -6,7 +6,6 @@ info: license: name: Apache 2.0 identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/base paths: /: get: From 98ae842fc613ca9e45777f0707ab148a50a5ba6c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:03:38 -0700 Subject: [PATCH 181/342] Add XML Object schema tests --- tests/schema/pass/media-type-examples.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index 3a8e880f7a..5a263f037f 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -33,6 +33,26 @@ paths: application/jsonl: itemSchema: $ref: '#components/schemas/Pet' + application/xml: + schema: + type: object + properties: + foo: + type: string + xml: + namespace: https://example.com + prefix: example + name: Foo + bar: + type: array + items: + type: number + xml: + wrapped: true + attr: + type: string + xml: + attribute: true application/x-www-form-urlencoded: schema: type: object From 0a223cd69875c7fd5978ac8c744735c8e24dcb32 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:08:52 -0700 Subject: [PATCH 182/342] Use externalDocs in a schema test object --- tests/schema/pass/mega.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index db953e866d..7d2f5fc0da 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -27,6 +27,9 @@ components: content: 'application/json': schema: + externalDocs: + description: More docs! + url: https://example.com/elsewhere.html type: object properties: type: From 27516b6103df3cb5c4bb986eb199023ee39561df Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:13:36 -0700 Subject: [PATCH 183/342] Cover discriminator with schema test cases Also make the discriminator usage valid. --- tests/schema/pass/mega.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 7d2f5fc0da..3e57fb9144 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -19,6 +19,12 @@ components: securitySchemes: mtls: type: mutualTLS + schemas: + Foo: + type: object + properties: + type: + const: foo pathItems: myPathItem: post: @@ -47,5 +53,9 @@ components: type: ['string','null'] discriminator: propertyName: type + mapping: + foo: Foo x-extension: true + anyOf: + - $ref: "#/components/schemas/Foo" myArbitraryKeyword: true From 50abcbf4c54c154576e3fe02d8730794acd4c90c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 13 Jun 2025 09:05:47 -0700 Subject: [PATCH 184/342] Use full schema (schema-base) for tests --- scripts/schema-test-coverage.mjs | 85 ++++++++++++++++++++++++++++---- scripts/schema-test-coverage.sh | 2 +- tests/schema/schema.test.mjs | 65 ++++++++++++++++++++++-- 3 files changed, 138 insertions(+), 14 deletions(-) diff --git a/scripts/schema-test-coverage.mjs b/scripts/schema-test-coverage.mjs index 0b2050ea60..4856c3e117 100644 --- a/scripts/schema-test-coverage.mjs +++ b/scripts/schema-test-coverage.mjs @@ -1,10 +1,11 @@ +import { readFileSync } from "node:fs"; import { readdir, readFile } from "node:fs/promises"; import YAML from "yaml"; import { join } from "node:path"; import { argv } from "node:process"; -import { validate } from "@hyperjump/json-schema/draft-2020-12"; +import { registerSchema, validate } from "@hyperjump/json-schema/draft-2020-12"; import "@hyperjump/json-schema/draft-04"; -import { BASIC } from "@hyperjump/json-schema/experimental"; +import { BASIC, addKeyword, defineVocabulary } from "@hyperjump/json-schema/experimental"; /** * @import { EvaluationPlugin } from "@hyperjump/json-schema/experimental" @@ -45,7 +46,14 @@ class TestCoveragePlugin { this.allLocations = []; for (const schemaLocation in context.ast) { - if (schemaLocation === "metaData") { + if ( + schemaLocation === "metaData" || + // Do not require coverage of standard JSON Schema + schemaLocation.includes("json-schema.org") || + // Do not require coverage of default $dynamicAnchor + // schemas, as they are not expected to be reached + schemaLocation.endsWith("/schema/WORK-IN-PROGRESS#/$defs/schema") + ) { continue; } @@ -110,6 +118,68 @@ const runTests = async (schemaUri, testDirectory) => { }; }; +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/discriminator", + interpret: (discriminator, instance, context) => { + return true; + }, + /* discriminator is not exactly an annotation, but it's not allowed + * to change the validation outcome (hence returing true from interopret()) + * and for our purposes of testing, this is sufficient. + */ + annotation: (discriminator) => { + return discriminator; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/example", + interpret: (example, instance, context) => { + return true; + }, + annotation: (example) => { + return example; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/externalDocs", + interpret: (externalDocs, instance, context) => { + return true; + }, + annotation: (externalDocs) => { + return externalDocs; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/xml", + interpret: (xml, instance, context) => { + return true; + }, + annotation: (xml) => { + return xml; + }, +}); + +defineVocabulary( + "https://spec.openapis.org/oas/3.2/vocab/base", + { + "discriminator": "https://spec.openapis.org/oas/schema/vocab/keyword/discriminator", + "example": "https://spec.openapis.org/oas/schema/vocab/keyword/example", + "externalDocs": "https://spec.openapis.org/oas/schema/vocab/keyword/externalDocs", + "xml": "https://spec.openapis.org/oas/schema/vocab/keyword/xml", + }, +); + +const parseYamlFromFile = (filePath) => { + const schemaYaml = readFileSync(filePath, "utf8"); + return YAML.parse(schemaYaml, { prettyErrors: true }); +}; +registerSchema(parseYamlFromFile("./src/schemas/validation/meta.yaml")); +registerSchema(parseYamlFromFile("./src/schemas/validation/dialect.yaml")); +registerSchema(parseYamlFromFile("./src/schemas/validation/schema.yaml")); + /////////////////////////////////////////////////////////////////////////////// const { allLocations, visitedLocations } = await runTests(argv[2], argv[3]); @@ -122,16 +192,13 @@ if (notCovered.length > 0) { const firstNotCovered = notCovered.slice(0, maxNotCovered); if (notCovered.length > maxNotCovered) firstNotCovered.push("..."); console.log(firstNotCovered); + process.exitCode = 1; } console.log( "Covered:", - visitedLocations.size, + (allLocations.length - notCovered.length), "of", allLocations.length, - "(" + Math.floor((visitedLocations.size / allLocations.length) * 100) + "%)", + "(" + Math.floor(((allLocations.length - notCovered.length) / allLocations.length) * 100) + "%)", ); - -if (visitedLocations.size != allLocations.length) { - process.exitCode = 1; -} \ No newline at end of file diff --git a/scripts/schema-test-coverage.sh b/scripts/schema-test-coverage.sh index 825a254e26..f00b661b0b 100755 --- a/scripts/schema-test-coverage.sh +++ b/scripts/schema-test-coverage.sh @@ -12,7 +12,7 @@ echo echo "Schema Test Coverage" echo -node scripts/schema-test-coverage.mjs src/schemas/validation/schema.yaml tests/schema/pass +node scripts/schema-test-coverage.mjs src/schemas/validation/schema-base.yaml tests/schema/pass rc=$? [[ "$branch" == "dev" ]] || exit $rc diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index 362ccc856c..00ed2d3df0 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -1,7 +1,7 @@ import { readdirSync, readFileSync } from "node:fs"; import YAML from "yaml"; -import { validate, setMetaSchemaOutputFormat } from "@hyperjump/json-schema/openapi-3-1"; -import { BASIC } from "@hyperjump/json-schema/experimental"; +import { registerSchema, validate, setMetaSchemaOutputFormat } from "@hyperjump/json-schema/openapi-3-1"; +import { BASIC, addKeyword, defineVocabulary } from "@hyperjump/json-schema/experimental"; import { describe, test, expect } from "vitest"; import contentTypeParser from "content-type"; @@ -26,10 +26,67 @@ const parseYamlFromFile = (filePath) => { setMetaSchemaOutputFormat(BASIC); -const validateOpenApi = await validate("./src/schemas/validation/schema.yaml"); +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/discriminator", + interpret: (discriminator, instance, context) => { + return true; + }, + /* discriminator is not exactly an annotation, but it's not allowed + * to change the validation outcome (hence returing true from interopret()) + * and for our purposes of testing, this is sufficient. + */ + annotation: (discriminator) => { + return discriminator; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/example", + interpret: (example, instance, context) => { + return true; + }, + annotation: (example) => { + return example; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/externalDocs", + interpret: (externalDocs, instance, context) => { + return true; + }, + annotation: (externalDocs) => { + return externalDocs; + }, +}); + +addKeyword({ + id: "https://spec.openapis.org/oas/schema/vocab/keyword/xml", + interpret: (xml, instance, context) => { + return true; + }, + annotation: (xml) => { + return xml; + }, +}); + +defineVocabulary( + "https://spec.openapis.org/oas/3.2/vocab/base", + { + "discriminator": "https://spec.openapis.org/oas/schema/vocab/keyword/discriminator", + "example": "https://spec.openapis.org/oas/schema/vocab/keyword/example", + "externalDocs": "https://spec.openapis.org/oas/schema/vocab/keyword/externalDocs", + "xml": "https://spec.openapis.org/oas/schema/vocab/keyword/xml", + }, +); + +registerSchema(parseYamlFromFile("./src/schemas/validation/meta.yaml")); +registerSchema(parseYamlFromFile("./src/schemas/validation/dialect.yaml")); +registerSchema(parseYamlFromFile("./src/schemas/validation/schema.yaml")); +const validateOpenApi = await validate("./src/schemas/validation/schema-base.yaml"); const fixtures = './tests/schema'; -describe("v3.1", () => { +describe("v3.2", () => { describe("Pass", () => { readdirSync(`${fixtures}/pass`, { withFileTypes: true }) .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) From 23e9712597661285603978c4d185ee641f6dc956 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 13 May 2025 10:00:02 -0700 Subject: [PATCH 185/342] Root XML element name comes from component name Clarifies that the name of the root XML element comes from the component name, which was shown in an example but was unclear due to the use of the obsolete OAS 2.0 terminology "model." This does not change the restriction (in the `xml` field of the Schema Object) that the `xml` field only applies to property schemas (and not root schemas). --- src/oas.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/src/oas.md b/src/oas.md index 67b36f814c..76d169ad6c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3253,22 +3253,25 @@ animals: ###### XML Attribute, Prefix and Namespace -In this example, a full model definition is shown. +In this example, a full [schema component](#components-schemas) definition is shown. +Note that the name of the root XML element comes from the component name. ```yaml -Person: - type: object - properties: - id: - type: integer - format: int32 - xml: - attribute: true - name: - type: string - xml: - namespace: https://example.com/schema/sample - prefix: sample +components: + schemas: + Person: + type: object + properties: + id: + type: integer + format: int32 + xml: + attribute: true + name: + type: string + xml: + namespace: https://example.com/schema/sample + prefix: sample ``` ```xml From 00fe2ed175b90aa6847a1bc2af98e0713eafc81f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 10:05:50 -0700 Subject: [PATCH 186/342] Align wording with components rather than "root" This avoids reinforcing the "root schema" vs "property schema" restriction that we plan to relax. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 76d169ad6c..b3694d26c0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3192,7 +3192,7 @@ See examples for expected behavior. | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | +| name | `string` | Replaces the inferred name of the element/attribute used for the described schema property. For the root schema object of a [schema component](#components-schemas), the inferred name is the name of the component; for other schemas the name is inferred from the parent property name. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | | attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | From 6850e16e5d5e6f666cd1781f5ec884abe9eb66a5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 14 May 2025 11:10:40 -0700 Subject: [PATCH 187/342] Support all common XML node types This change adds a nodeType field to support the four most commonly used XML node types: element, attribute, text, and cdata. A fifth nodetype, none, is used to prevent a Schema Object from producing a node. This also removes the restriction on where the xml field and XML Object can appear, as the nodeType system is more flexible than the old system. This deprecates two existing fields: * attribute, replaced by nodeType: attribute * wrapped, replaced by nodeType: none --- src/oas.md | 280 +++++++++++++++++++++++-------- src/schemas/validation/meta.yaml | 17 +- 2 files changed, 227 insertions(+), 70 deletions(-) diff --git a/src/oas.md b/src/oas.md index b3694d26c0..c05c2e886e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2582,7 +2582,7 @@ JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI | Field Name | Type | Description | | ---- | :----: | ---- | | discriminator | [Discriminator Object](#discriminator-object) | The discriminator provides a "hint" for which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | -| xml | [XML Object](#xml-object) | This MAY be used only on property schemas. It has no effect on root schemas. Adds additional metadata to describe the XML representation of this property. | +| xml | [XML Object](#xml-object) | Adds additional metadata to describe the XML representation of this schema. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this schema. | | example | Any | A free-form field to include an example of an instance for this schema. To represent examples that cannot be naturally represented in JSON or YAML, a string value can be used to contain the example with escaping where necessary.

**Deprecated:** The `example` field has been deprecated in favor of the JSON Schema `examples` keyword. Use of `example` is discouraged, and later versions of this specification may remove it. | @@ -3184,22 +3184,68 @@ will map to `#/components/schemas/Dog` because the `dog` entry in the `mapping` #### XML Object A metadata object that allows for more fine-tuned XML model definitions. - -When using arrays, XML element names are _not_ inferred (for singular/plural forms) and the `name` field SHOULD be used to add that information. -See examples for expected behavior. +When using a Schema Object with XML, if no XML Object is present, the behavior is determined by the XML Object's default field values. ##### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | Replaces the inferred name of the element/attribute used for the described schema property. For the root schema object of a [schema component](#components-schemas), the inferred name is the name of the component; for other schemas the name is inferred from the parent property name. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | +| nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: array` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | +| name | `string` | Sets the name of the element/attribute used for the described schema property, replacing name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | -| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | -| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). | +| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: attribute` in place of `attribute: true` | +| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Set `nodeType: element` explicitly in place of `wrapped: true` | + +Note that when generating an XML document from object data, the order of the nodes is undefined. +Use `prefixItems` to control node ordering. + +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. This object MAY be extended with [Specification Extensions](#specification-extensions). +##### XML Node Types + +Each Schema Object describes a particular type of XML [node](https://dom.spec.whatwg.org/#interface-node) which is specified by the `nodeType` field, which has the following possible values. +Except for the special value `none`, these values have numeric equivalents in the DOM [specification](https://dom.spec.whatwg.org/#interface-node) which are given in parentheses after the name: + +* `element` (1): The schema represents an element and describes its contents +* `attribute` (2): The schema represents an attribute and describes its value +* `text` (3): The schema represents a text node (parsed character data) +* `cdata` (4): The schema represents a CDATA section +* `none`: The schema does not correspond to any node in the XML document, and its contents are included directly under the parent schema's node + +The `none` type is useful for JSON Schema constructs that require more Schema Objects than XML nodes, such as a schema containing only `$ref` that exists to facilitate re-use rather than imply any structure. + +###### Modeling Element Lists + +For historical compatibility, schemas of `type: array` default to `nodeType: none`, placing the nodes for each array item directly under the parent node. +This also aligns with the inferred naming behavior defined under [XML Node Names](#xml-node-names). + +To produce an element wrapping the list, set an explicit `nodeType: element` on the `type: array` schema. +When doing so, it is advisable to set an explicit name on either the wrapping element or the item elements to avoid them having the same inferred name. +See examples for expected behavior. + +###### Implicit and Explicit `text` Nodes + +If an `element` node has a primitive type, then the schema also produces an implicit `text` node described by the schema for the contents of the `element` node named by the property name (or `name` field). + +Explicit `text` nodes are necessary if an element has both attributes and content. + +Note that placing two `text` nodes adjacent to each other is ambiguous for parsing, and the resulting behavior is implementation-defined. + +##### XML Node Names + +The `element` and `attribute` node types require a name, which MUST be inferred from the schema as follows, unless overridden by the `name` field: + +* For schemas directly under the [Components Object's](#components-object) `schemas` field, the component name is the inferred name. +* For property schemas, and for array item schemas under a property schema, the property name is the inferred name +* In all other cases, such as an inline schema under a [Media Type Object's](#media-type-object) `schema` field, no name can be inferred and an XML Object with a `name` field MUST be present + +Note that when using arrays, singular vs plural forms are _not_ inferred, and must be set explicitly. + +##### Namespace Limitations + The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: * Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI" ("non-relative IRI" as of OAS v3.2.0), so authors using namespaces that include a fragment should check tooling support carefully. @@ -3207,29 +3253,31 @@ The `namespace` field is intended to match the syntax of [XML namespaces](https: ##### XML Object Examples -Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schema-object) that is omitted for brevity. -The JSON and YAML representations of the `properties` value are followed by an example XML representation produced for the single property shown. +The Schema Objects are followed by an example XML representation produced for the schema shown. +For examples using `attribute` or `wrapped`, please see version 3.1 of the OpenAPI Specification. -###### No XML Element +###### No XML Object -Basic string property: +Basic string property (`nodeType` is `element` by default): ```yaml -animals: - type: string +properties: + animals: + type: string ``` ```xml ... ``` -Basic string array property ([`wrapped`](#xml-wrapped) is `false` by default): +Basic string array property (`nodeType` is `none` by default): ```yaml -animals: - type: array - items: - type: string +properties: + animals: + type: array + items: + type: string ``` ```xml @@ -3241,10 +3289,11 @@ animals: ###### XML Name Replacement ```yaml -animals: - type: string - xml: - name: animal +properties: + animals: + type: string + xml: + name: animal ``` ```xml @@ -3253,7 +3302,6 @@ animals: ###### XML Attribute, Prefix and Namespace -In this example, a full [schema component](#components-schemas) definition is shown. Note that the name of the root XML element comes from the component name. ```yaml @@ -3285,12 +3333,13 @@ components: Changing the element names: ```yaml -animals: - type: array - items: - type: string - xml: - name: animal +properties: + animals: + type: array + items: + type: string + xml: + name: animal ``` ```xml @@ -3298,17 +3347,18 @@ animals: value ``` -The external `name` field has no effect on the XML: +The `name` field for the `type: array` schema has no effect because the default `nodeType` for that object is `none`: ```yaml -animals: - type: array - items: - type: string +properties: + animals: + type: array + items: + type: string + xml: + name: animal xml: - name: animal - xml: - name: aliens + name: aliens ``` ```xml @@ -3316,15 +3366,16 @@ animals: value ``` -Even when the array is wrapped, if a name is not explicitly defined, the same name will be used both internally and externally: +Even when a wrapping element is explicitly created by setting `nodeType` to `element`, if a name is not explicitly defined, the same name will be used for both the wrapping element and the list item elements: ```yaml -animals: - type: array - items: - type: string - xml: - wrapped: true +properties: + animals: + type: array + items: + type: string + xml: + nodeType: element ``` ```xml @@ -3337,14 +3388,15 @@ animals: To overcome the naming problem in the example above, the following definition can be used: ```yaml -animals: - type: array - items: - type: string +properties: + animals: + type: array + items: + type: string + xml: + name: animal xml: - name: animal - xml: - wrapped: true + nodeType: element ``` ```xml @@ -3354,18 +3406,19 @@ animals: ``` -Affecting both internal and external names: +Affecting both wrapping element and item element names: ```yaml -animals: - type: array - items: - type: string +properties: + animals: + type: array + items: + type: string + xml: + name: animal xml: - name: animal - xml: - name: aliens - wrapped: true + name: aliens + nodeType: element ``` ```xml @@ -3375,16 +3428,17 @@ animals: ``` -If we change the external element but not the internal ones: +If we change the wrapping element name but not the item element names: ```yaml -animals: - type: array - items: - type: string - xml: - name: aliens - wrapped: true +properties: + animals: + type: array + items: + type: string + xml: + name: aliens + nodeType: element ``` ```xml @@ -3394,6 +3448,96 @@ animals: ``` +###### Elements With Attributes And Text + +```yaml +properties: + animals: + type: array + xml: + nodeType: element + name: animals + items: + properties: + kind: + type: string + xml: + nodeType: attribute + name: animal + content: + type: string + xml: + nodeType: text +``` + +```xml + + Fluffy + Fido + +``` + +###### Referenced Element With CDATA + +In this example, no element is created for the Schema Object that contains only the `$ref`, as its `nodeType` defaults to `none`. +It is necessary to create a subschema for the CDATA section as otherwise the content would be treated as an implicit node of type `text`. + +```yaml +paths: + /docs: + get: + responses: + "200": + content: + application/xml: + $ref: "#/components/schemas/Documentation" +components: + schemas: + Documentation: + type: object + properties: + content: + type: string + contentMediaType: text/html + xml: + nodeType: cdata +``` + +```xml + + Awesome Docs]]> + +``` + +###### Element With Text Before and After a Child Element + +In this example, `prefixItems` is used to control the ordering. +Since `prefixItems` works with arrays, we need to explicitly set the `nodeType` to `element`. +Within `prefixItems`, we need to explicitly set the `nodeType` of the `text` nodes, but do not need a name, while the data node's default `nodeType` of `element` is correct, but it needs an explicit `name`: + +```yaml +components: + schemas: + Report: + type: array + xml: + nodeType: element + prefixItems: + - type: string + xml: + nodeType: text + - type: number + xml: + name: data + - type: string + xml: + nodeType: text +``` + +```xml +Some preamble text.42Some postamble text. +``` + #### Security Scheme Object Defines a security scheme that can be used by the operations. diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 491190a221..52f5ea2ed0 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -55,8 +55,14 @@ $defs: xml: $ref: '#/$defs/extensible' properties: - attribute: - type: boolean + nodeType: + type: string + enum: + - element + - attribute + - text + - cdata + - none name: type: string namespace: @@ -64,7 +70,14 @@ $defs: type: string prefix: type: string + attribute: + type: boolean wrapped: type: boolean type: object + dependentSchemas: + nodeType: + properties: + attribute: false + wrapped: false unevaluatedProperties: false From 63ba3e3f9fc0e10c594c2d5465d4ad01fc52e22e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 19:39:07 -0700 Subject: [PATCH 188/342] Better wording and formatting --- src/oas.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index c05c2e886e..d24738d56f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3191,11 +3191,11 @@ When using a Schema Object with XML, if no XML Object is present, the behavior i | Field Name | Type | Description | | ---- | :----: | ---- | | nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: array` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | -| name | `string` | Sets the name of the element/attribute used for the described schema property, replacing name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | +| name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | -| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: attribute` in place of `attribute: true` | -| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Set `nodeType: element` explicitly in place of `wrapped: true` | +| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "attribute"` in place of `attribute: true` | +| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Set `nodeType: "element"` explicitly in place of `wrapped: true` | Note that when generating an XML document from object data, the order of the nodes is undefined. Use `prefixItems` to control node ordering. @@ -3219,10 +3219,10 @@ The `none` type is useful for JSON Schema constructs that require more Schema Ob ###### Modeling Element Lists -For historical compatibility, schemas of `type: array` default to `nodeType: none`, placing the nodes for each array item directly under the parent node. +For historical compatibility, schemas of `type: array` default to `nodeType: "none"`, placing the nodes for each array item directly under the parent node. This also aligns with the inferred naming behavior defined under [XML Node Names](#xml-node-names). -To produce an element wrapping the list, set an explicit `nodeType: element` on the `type: array` schema. +To produce an element wrapping the list, set an explicit `nodeType: "element"` on the `type: array` schema. When doing so, it is advisable to set an explicit name on either the wrapping element or the item elements to avoid them having the same inferred name. See examples for expected behavior. From e2e2d7b457b413c381f400c17fcf3f73ac9cda65 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 19:42:28 -0700 Subject: [PATCH 189/342] A bit more formatting improvements --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index d24738d56f..87b1e72cf7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3190,7 +3190,7 @@ When using a Schema Object with XML, if no XML Object is present, the behavior i | Field Name | Type | Description | | ---- | :----: | ---- | -| nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: array` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | +| nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: "array"` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | | name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | @@ -3219,10 +3219,10 @@ The `none` type is useful for JSON Schema constructs that require more Schema Ob ###### Modeling Element Lists -For historical compatibility, schemas of `type: array` default to `nodeType: "none"`, placing the nodes for each array item directly under the parent node. +For historical compatibility, schemas of `type: "array"` default to `nodeType: "none"`, placing the nodes for each array item directly under the parent node. This also aligns with the inferred naming behavior defined under [XML Node Names](#xml-node-names). -To produce an element wrapping the list, set an explicit `nodeType: "element"` on the `type: array` schema. +To produce an element wrapping the list, set an explicit `nodeType: "element"` on the `type: "array"` schema. When doing so, it is advisable to set an explicit name on either the wrapping element or the item elements to avoid them having the same inferred name. See examples for expected behavior. @@ -3347,7 +3347,7 @@ properties: value ``` -The `name` field for the `type: array` schema has no effect because the default `nodeType` for that object is `none`: +The `name` field for the `type: "array"` schema has no effect because the default `nodeType` for that object is `none`: ```yaml properties: From d775e9bc64db33fcbba5fdd8a6996ae0d81c5f9f Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 16 May 2025 11:34:38 -0700 Subject: [PATCH 190/342] Fix missing word Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 87b1e72cf7..f42d3c3ff6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3191,7 +3191,7 @@ When using a Schema Object with XML, if no XML Object is present, the behavior i | Field Name | Type | Description | | ---- | :----: | ---- | | nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: "array"` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | -| name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | +| name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing the name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | | attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "attribute"` in place of `attribute: true` | From 957738916cea616b4d803e99e8720766059072e8 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 16 May 2025 11:55:19 -0700 Subject: [PATCH 191/342] Make the DOM reference normative --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index f42d3c3ff6..23044ec45d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3206,8 +3206,8 @@ This object MAY be extended with [Specification Extensions](#specification-exten ##### XML Node Types -Each Schema Object describes a particular type of XML [node](https://dom.spec.whatwg.org/#interface-node) which is specified by the `nodeType` field, which has the following possible values. -Except for the special value `none`, these values have numeric equivalents in the DOM [specification](https://dom.spec.whatwg.org/#interface-node) which are given in parentheses after the name: +Each Schema Object describes a particular type of XML [[!DOM]] [node](https://dom.spec.whatwg.org/#interface-node) which is specified by the `nodeType` field, which has the following possible values. +Except for the special value `none`, these values have numeric equivalents in the DOM specification which are given in parentheses after the name: * `element` (1): The schema represents an element and describes its contents * `attribute` (2): The schema represents an attribute and describes its value From 564b2ce20b4a53373fa0cda5acf6785aa09acceb Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 16 May 2025 11:56:22 -0700 Subject: [PATCH 192/342] Improved wording around nodeType: none --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 23044ec45d..ab596434ac 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3213,7 +3213,7 @@ Except for the special value `none`, these values have numeric equivalents in th * `attribute` (2): The schema represents an attribute and describes its value * `text` (3): The schema represents a text node (parsed character data) * `cdata` (4): The schema represents a CDATA section -* `none`: The schema does not correspond to any node in the XML document, and its contents are included directly under the parent schema's node +* `none`: The schema does not correspond to any node in the XML document, and the nodes corresponding to its subschema(s) are included directly under its parent schema's node The `none` type is useful for JSON Schema constructs that require more Schema Objects than XML nodes, such as a schema containing only `$ref` that exists to facilitate re-use rather than imply any structure. From 970953708e6758ebbfdcec459047550e74fad010 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 19 May 2025 09:32:55 -0700 Subject: [PATCH 193/342] Expand examples, link from field description. --- src/oas.md | 157 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 145 insertions(+), 12 deletions(-) diff --git a/src/oas.md b/src/oas.md index ab596434ac..ac48a395a3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3198,7 +3198,7 @@ When using a Schema Object with XML, if no XML Object is present, the behavior i | wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Set `nodeType: "element"` explicitly in place of `wrapped: true` | Note that when generating an XML document from object data, the order of the nodes is undefined. -Use `prefixItems` to control node ordering. +Use `prefixItems` to control node ordering as shown under [Ordered Elements and Text](#ordered-elements-and-text). See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. @@ -3509,35 +3509,168 @@ components: ``` -###### Element With Text Before and After a Child Element +Alternatively, the named root element could be set at the point of use and the root element disabled on the component: -In this example, `prefixItems` is used to control the ordering. -Since `prefixItems` works with arrays, we need to explicitly set the `nodeType` to `element`. -Within `prefixItems`, we need to explicitly set the `nodeType` of the `text` nodes, but do not need a name, while the data node's default `nodeType` of `element` is correct, but it needs an explicit `name`: +```yaml +paths: + /docs: + get: + responses: + "200": + content: + application/xml: + xml: + nodeType: element + name: StoredDocument + $ref: "#/components/schemas/Documentation" + put: + requestBody: + required: true + content: + application/xml: + xml: + nodeType: element + name: UpdatedDocument + $ref: "#/components/schemas/Documentation" + responses: + "201": {} +components: + schemas: + Documentation: + xml: + nodeType: none + type: object + properties: + content: + type: string + contentMediaType: text/html + xml: + nodeType: cdata +``` + +The GET response XML: + +```xml + + Awesome Docs]]> + +``` + +The PUT request XML: + +```xml + + Awesome Docs]]> + +``` + +The in-memory instance data for all three of the above XML documents: + +```json +{ + "content": "Awesome Docs" +} +``` + +###### Ordered Elements and Text + +To control the exact order of elements, use the `prefixItems` keyword. +With this approach, it is necessary to set the element names using the XML Object as they would otherwise all inherit the parent's name despite being different elements in a specific order. +It is also necessary to set `nodeType: "element"` explicitly on the array in order to get an element containing the sequence. + +This first ordered example shows a sequence of elements, as well as the recommended serialization of `null` for elements: ```yaml components: schemas: - Report: + OneTwoThree: + xml: + nodeType: element type: array + minLength: 3 + maxLength: 3 + prefixItems: + - xml: + name: One + type: string + - xml: + name: Two + type: object + required: + - unit + - value + properties: + unit: + type: string + xml: + nodeType: attribute + value: + type: number + xml: + nodeType: text + - xml: + name: Three + type: + - boolean + - "null" +``` + +```xml + + Some text + 42 + + +``` + +The in-memory instance data that would produce the above XML snippet with the preceding schema would be: + +```json +[ + "Some Text", + { + "unit": "cubits", + "value": 42 + }, + null +] +``` + +In this next example, the `name` needs to be set for the element, while the `nodeType` needs to be set for the text nodes. + +```yaml +components: + schemas: + Report: xml: nodeType: element + type: array prefixItems: - - type: string - xml: + - xml: nodeType: text - - type: number - xml: + type: string + - xml: name: data - - type: string - xml: + type: number + - xml: nodeType: text + type: string ``` ```xml Some preamble text.42Some postamble text. ``` +The in-memory instance data structure for the above example would be: + +```json +[ + "Some preamble text." + 42, + "Some postamble text." +] +``` + #### Security Scheme Object Defines a security scheme that can be used by the operations. From 792efcca08c048ffd8647b65ae02bf857c9baf35 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 17 May 2025 20:46:36 -0700 Subject: [PATCH 194/342] Provide guidance on null in XML. There really isn't a native `null` type in XML, as both elements and attributes that are empty have an empty string value. We also need to leave the behavior implementation-defined for compatibility. However, the `xsi:nil` attribute is the closest thing to a `null` element. Attributes are harder, and the best I can come up with is letting `null` behave the same as an omitted attribute for the purpose of serialization. --- src/oas.md | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/src/oas.md b/src/oas.md index ac48a395a3..93789d1833 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3251,6 +3251,21 @@ The `namespace` field is intended to match the syntax of [XML namespaces](https: * Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI" ("non-relative IRI" as of OAS v3.2.0), so authors using namespaces that include a fragment should check tooling support carefully. * XML allows but discourages relative IRI-references, while this specification outright forbids them. +##### Handling `null` Values + +XML does not, by default, have a concept equivalent to `null`, and to preserve compatibility with version 3.1.1 and earlier of this specification, the behavior of serializing `null` values is implementation-defined. + +However, implementations SHOULD handle `null` values as follows: + +* For elements, produce an empty element with an `xsi:nil="true"` attribute. +* For attributes, omit the attribute. + +Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. +As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. +However, because there is no distinct way to represent `null` as an attribute, it is RECOMMENDED to make attribute properties optional rather than use `null`. + +To ensure correct round-trip behavior, when parsing an element that omits an attribute, implementations SHOULD set the corresponding property to `null` if the schema allows for that value (e.g. `type: ["number", "null"]`), and omit the property otherwise (e.g.`type: "number"`). + ##### XML Object Examples The Schema Objects are followed by an example XML representation produced for the schema shown. @@ -3671,6 +3686,56 @@ The in-memory instance data structure for the above example would be: ] ``` +###### XML With `null` Values + +Recall that the schema validates the in-memory data, not the XML document itself. +The properties of the `"metadata"` element are omitted for brevity as it is here to show how the `null` value is represented. + +```yaml +product: + type: object + required: + - count + - description + - related + properties: + count: + type: + - number + - "null" + xml: + nodeType: attribute + rating: + type: string + xml: + nodeType: attribute + description: + type: string + related: + type: + - object + - "null" +``` + +```xml + + Thing + + +``` + +The above XML example corresponds to the following in-memory instance: + +```json +{ + "product": { + "count": null, + "description": "Thing", + "related": null + } +} +``` + #### Security Scheme Object Defines a security scheme that can be used by the operations. From e330609d7f35f5cfcaf308da5c99df517e88d6a5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 28 May 2025 10:47:47 -0700 Subject: [PATCH 195/342] Add `null` guidance for CDATA and text The guidance is the same as for serializing `null` and other non-text data types to text in other text-based media types such as the form media types. --- src/oas.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/oas.md b/src/oas.md index 93789d1833..23fa0796db 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3259,6 +3259,7 @@ However, implementations SHOULD handle `null` values as follows: * For elements, produce an empty element with an `xsi:nil="true"` attribute. * For attributes, omit the attribute. +* For text and CDATA sections, see [Appendix B](#appendix-b-data-type-conversion) for a discussion of serializing non-text values to text Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. From 92b3f4b0b791c1bcf5bad6cd1e38de8c1fb95ea2 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 28 May 2025 10:55:22 -0700 Subject: [PATCH 196/342] Fix example to name the item nodes correctly Co-authored-by: Ralf Handl --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 23fa0796db..49ed498cf4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3474,12 +3474,13 @@ properties: nodeType: element name: animals items: + xml: + name: animal properties: kind: type: string xml: nodeType: attribute - name: animal content: type: string xml: From a4f6bd9962631b16406ff33ed06a63514ff9a5bc Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 12 Jun 2025 09:57:23 -0700 Subject: [PATCH 197/342] Apply suggestions from code review --- src/oas.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/oas.md b/src/oas.md index 49ed498cf4..002bce37f2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3330,7 +3330,7 @@ components: type: integer format: int32 xml: - attribute: true + nodeType: attribute name: type: string xml: @@ -3507,7 +3507,8 @@ paths: "200": content: application/xml: - $ref: "#/components/schemas/Documentation" + schema: + $ref: "#/components/schemas/Documentation" components: schemas: Documentation: @@ -3536,19 +3537,21 @@ paths: "200": content: application/xml: - xml: - nodeType: element - name: StoredDocument - $ref: "#/components/schemas/Documentation" + schema: + xml: + nodeType: element + name: StoredDocument + $ref: "#/components/schemas/Documentation" put: requestBody: required: true content: application/xml: - xml: - nodeType: element - name: UpdatedDocument - $ref: "#/components/schemas/Documentation" + schema: + xml: + nodeType: element + name: UpdatedDocument + $ref: "#/components/schemas/Documentation" responses: "201": {} components: From 373a374467ab6efe5468f88c60244611c1b923f5 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 12 Jun 2025 10:03:06 -0700 Subject: [PATCH 198/342] Update src/oas.md --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 002bce37f2..0624358d25 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3694,7 +3694,7 @@ The in-memory instance data structure for the above example would be: ###### XML With `null` Values Recall that the schema validates the in-memory data, not the XML document itself. -The properties of the `"metadata"` element are omitted for brevity as it is here to show how the `null` value is represented. +The properties of the `"related"` element object are omitted for brevity as it is here to show how the `null` value is represented. ```yaml product: From c7f0c473dbce591822aa9169e07727d3b8a6e37d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 13 Jun 2025 09:15:55 -0700 Subject: [PATCH 199/342] Add positive schema tests for XML nodeType --- tests/schema/pass/media-type-examples.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index 5a263f037f..2ab4e68076 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -53,6 +53,26 @@ paths: type: string xml: attribute: true + elementNode: + $ref: "#/components/schemas/Pet" + xml: + nodeType: element + attributeNode: + type: string + xml: + nodeType: attribute + textNode: + type: string + xml: + nodeType: text + cdataNode: + type: string + xml: + nodeType: cdata + noneNode: + type: object + xml: + nodeType: none application/x-www-form-urlencoded: schema: type: object From 12df956971c09f1a8f94a2b375512bbf6782207d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 13 Jun 2025 09:16:36 -0700 Subject: [PATCH 200/342] Add negative nodeType schema tests --- tests/schema/fail/xml-attr-exclusion.yaml | 11 +++++++++++ tests/schema/fail/xml-wrapped-exclusion.yaml | 11 +++++++++++ 2 files changed, 22 insertions(+) create mode 100644 tests/schema/fail/xml-attr-exclusion.yaml create mode 100644 tests/schema/fail/xml-wrapped-exclusion.yaml diff --git a/tests/schema/fail/xml-attr-exclusion.yaml b/tests/schema/fail/xml-attr-exclusion.yaml new file mode 100644 index 0000000000..b48a02d1a5 --- /dev/null +++ b/tests/schema/fail/xml-attr-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + Attr: + type: string + xml: + attribute: true + nodeType: attribute diff --git a/tests/schema/fail/xml-wrapped-exclusion.yaml b/tests/schema/fail/xml-wrapped-exclusion.yaml new file mode 100644 index 0000000000..74f8ea512e --- /dev/null +++ b/tests/schema/fail/xml-wrapped-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + List: + type: array + xml: + wrapped: true + nodeType: element From 93c668743d74c72891b8506abe0b14a061d66dd8 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 9 Jun 2025 11:02:41 -0700 Subject: [PATCH 201/342] XML Object example updates --- src/oas.md | 557 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 369 insertions(+), 188 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0624358d25..4e40b19998 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3274,46 +3274,85 @@ For examples using `attribute` or `wrapped`, please see version 3.1 of the OpenA ###### No XML Object -Basic string property (`nodeType` is `element` by default): +Basic string property without an XML Object, using `serializedValue` (the remaining examples will use `externalSerializedValue` so that the XML form can be shown with syntax highlighting): ```yaml -properties: - animals: - type: string -``` - -```xml -... +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: string + examples: + pets: + dataValue: + animals: "dog, cat, hamster" + serializedValue: | + + dog, cat, hamster + ``` Basic string array property (`nodeType` is `none` by default): ```yaml -properties: - animals: - type: array - items: - type: string +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + items: + type: string + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -... -... -... + + dog + cat + hamster + ``` ###### XML Name Replacement ```yaml -properties: - animals: - type: string +application/xml: + schema: + type: object xml: - name: animal + name: document + properties: + animals: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -... + + dog + cat + hamster + ``` ###### XML Attribute, Prefix and Namespace @@ -3336,8 +3375,22 @@ components: xml: namespace: https://example.com/schema/sample prefix: sample + requestBodies: + Person: + content: + application/xml: + schema: + $ref: "#/components/schemas/Person" + examples: + Person: + dataValue: + id: 123 + name: example + externalSerializedValue: ./examples/Person.xml ``` +Where `./examples/Person.xml` would be: + ```xml example @@ -3349,126 +3402,216 @@ components: Changing the element names: ```yaml -properties: - animals: - type: array - items: - type: string - xml: - name: animal +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -value -value + + dog + cat + hamster + ``` The `name` field for the `type: "array"` schema has no effect because the default `nodeType` for that object is `none`: ```yaml -properties: - animals: - type: array - items: - type: string - xml: - name: animal +application/xml: + schema: + type: object xml: - name: aliens + name: document + properties: + animals: + type: array + xml: + name: aliens + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -value -value + + dog + cat + hamster + ``` Even when a wrapping element is explicitly created by setting `nodeType` to `element`, if a name is not explicitly defined, the same name will be used for both the wrapping element and the list item elements: ```yaml -properties: - animals: - type: array - items: - type: string +application/xml: + schema: + type: object xml: - nodeType: element + name: document + properties: + animals: + type: array + xml: + nodeType: element + items: + type: string + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml - - value - value - + + + dog + cat + hamster + + ``` To overcome the naming problem in the example above, the following definition can be used: ```yaml -properties: - animals: - type: array - items: - type: string - xml: - name: animal +application/xml: + schema: + type: object xml: - nodeType: element + name: document + properties: + animals: + type: array + xml: + nodeType: element + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml - - value - value - + + + dog + cat + hamster + + ``` Affecting both wrapping element and item element names: ```yaml -properties: - animals: - type: array - items: - type: string - xml: - name: animal +application/xml: + schema: + type: object xml: - name: aliens - nodeType: element + name: document + properties: + animals: + type: array + xml: + name: aliens + nodeType: element + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml - - value - value - + + + dog + cat + hamster + + ``` If we change the wrapping element name but not the item element names: ```yaml -properties: - animals: - type: array - items: - type: string +application/xml: + schema: + type: object xml: - name: aliens - nodeType: element + name: document + properties: + animals: + type: array + xml: + name: aliens + nodeType: element + items: + type: string + examples: + pets: + dataValue: + animals: [dog, cat, hamster] + externalSerializedValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml - - value - value - + + + dog + cat + hamster + + ``` ###### Elements With Attributes And Text ```yaml -properties: - animals: +application/xml: + schema: type: array xml: nodeType: element @@ -3481,12 +3624,21 @@ properties: type: string xml: nodeType: attribute - content: + name: type: string xml: nodeType: text + examples: + pets: + dataValue: + - kind: Cat + name: Fluffy + - kind: Dog + name: Fido ``` +Where `./examples/pets.xml` would be: + ```xml Fluffy @@ -3500,15 +3652,6 @@ In this example, no element is created for the Schema Object that contains only It is necessary to create a subschema for the CDATA section as otherwise the content would be treated as an implicit node of type `text`. ```yaml -paths: - /docs: - get: - responses: - "200": - content: - application/xml: - schema: - $ref: "#/components/schemas/Documentation" components: schemas: Documentation: @@ -3519,8 +3662,20 @@ components: contentMediaType: text/html xml: nodeType: cdata + responses: + content: + application/xml: + schema: + $ref: "#/components/schemas/Documentation" + examples: + docs: + dataValue: + content: Awesome Docs + externalSerializedValue: ./examples/docs.xml ``` +Where `./examples/docs.xml` would be: + ```xml Awesome Docs]]> @@ -3542,6 +3697,10 @@ paths: nodeType: element name: StoredDocument $ref: "#/components/schemas/Documentation" + examples: + stored: + externalDataValue: ./examples/content.json + externalSerializedValue: ./examples/stored.xml put: requestBody: required: true @@ -3552,6 +3711,10 @@ paths: nodeType: element name: UpdatedDocument $ref: "#/components/schemas/Documentation" + examples: + stored: + externalDataValue: ./examples/content.json + externalSerializedValue: ./examples/updated.xml responses: "201": {} components: @@ -3568,7 +3731,15 @@ components: nodeType: cdata ``` -The GET response XML: +where `./examples/content.json` would be: + +```json +{ + "content": "Awesome Docs" +} +``` + +`./examples/stored.xml` would be: ```xml @@ -3576,7 +3747,7 @@ The GET response XML: ``` -The PUT request XML: +and `./examples/updated.xml` would be: ```xml @@ -3584,14 +3755,6 @@ The PUT request XML: ``` -The in-memory instance data for all three of the above XML documents: - -```json -{ - "content": "Awesome Docs" -} -``` - ###### Ordered Elements and Text To control the exact order of elements, use the `prefixItems` keyword. @@ -3601,40 +3764,53 @@ It is also necessary to set `nodeType: "element"` explicitly on the array in ord This first ordered example shows a sequence of elements, as well as the recommended serialization of `null` for elements: ```yaml -components: - schemas: +application/xml: + schema: + xml: + nodeType: element + name: OneTwoThree + type: array + minLength: 3 + maxLength: 3 + prefixItems: + - xml: + name: One + type: string + - xml: + name: Two + type: object + required: + - unit + - value + properties: + unit: + type: string + xml: + nodeType: attribute + value: + type: number + xml: + nodeType: text + - xml: + name: Three + type: + - boolean + - "null" + examples: OneTwoThree: - xml: - nodeType: element - type: array - minLength: 3 - maxLength: 3 - prefixItems: - - xml: - name: One - type: string - - xml: - name: Two - type: object - required: - - unit - - value - properties: - unit: - type: string - xml: - nodeType: attribute - value: - type: number - xml: - nodeType: text - - xml: - name: Three - type: - - boolean - - "null" + dataValue: [ + "Some text", + { + "unit": "cubits" + "value": 42 + }, + null + ] + externalSerializedValue: ./examples/OneTwoThree.xml ``` +Where `./examples/OneTwoThree.xml` would be: + ```xml Some text @@ -3643,61 +3819,52 @@ components: ``` -The in-memory instance data that would produce the above XML snippet with the preceding schema would be: - -```json -[ - "Some Text", - { - "unit": "cubits", - "value": 42 - }, - null -] -``` - In this next example, the `name` needs to be set for the element, while the `nodeType` needs to be set for the text nodes. ```yaml -components: - schemas: +application/xml: + schema: + xml: + nodeType: element + name: Report + type: array + prefixItems: + - xml: + nodeType: text + type: string + - xml: + name: data + type: number + - xml: + nodeType: text + type: string + examples: Report: - xml: - nodeType: element - type: array - prefixItems: - - xml: - nodeType: text - type: string - - xml: - name: data - type: number - - xml: - nodeType: text - type: string + dataValue: [ + "Some preamble text.", + 42, + "Some postamble text." + ] + externalSerializedValue: ./examples/Report.xml ``` +Where `./examples/Report.xml` would be: + ```xml Some preamble text.42Some postamble text. ``` -The in-memory instance data structure for the above example would be: - -```json -[ - "Some preamble text." - 42, - "Some postamble text." -] -``` - ###### XML With `null` Values Recall that the schema validates the in-memory data, not the XML document itself. -The properties of the `"related"` element object are omitted for brevity as it is here to show how the `null` value is represented. +This example does not define properties for `"related"` as it is showing how +empty objects and `null` are handled. ```yaml -product: +appliaction/xml: +schema: + xml: + name: product type: object required: - count @@ -3720,8 +3887,25 @@ product: type: - object - "null" +examples: + productWithNulls: + dataValue: { + "count": null, + "description": "Thing", + "related": null + } + externalSerializedValue: ./examples/productWithNulls.xml + productNoNulls: + dataValue: { + "count": 42, + "description: "Thing" + "related": {} + } + externalSerializedValue: ./examples/productNoNulls.xml ``` +Where `./examples/productWithNulls.xml` would be: + ```xml Thing @@ -3729,16 +3913,13 @@ product: ``` -The above XML example corresponds to the following in-memory instance: +and `./examples/productNoNulls.xml` would be: -```json -{ - "product": { - "count": null, - "description": "Thing", - "related": null - } -} +```xml + + Thing + + ``` #### Security Scheme Object From 67b34d43eeef40190cce629665dc2fa17376f39c Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 14 Jun 2025 12:05:53 -0700 Subject: [PATCH 202/342] Fix copy-paste error Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4e40b19998..1d162e06ee 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3712,7 +3712,7 @@ paths: name: UpdatedDocument $ref: "#/components/schemas/Documentation" examples: - stored: + updated: externalDataValue: ./examples/content.json externalSerializedValue: ./examples/updated.xml responses: From fb1ae5ce679d6774409e47322341d3751b50fb91 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 16:01:14 -0700 Subject: [PATCH 203/342] Use matching jsonSchemaDialect Since we are testing with a placeholder, we need to match the placeholder. This will unfortunately need to be different on each new release line branch, so let's separate this test case into its own file. --- tests/schema/pass/json_schema_dialect.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml index fa054c9b89..ae0ed863b3 100644 --- a/tests/schema/pass/json_schema_dialect.yaml +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -1,4 +1,4 @@ -openapi: 3.2.0 +openapi: 3.1.0 info: summary: Testing jsonSchemaDialect title: My API @@ -6,10 +6,10 @@ info: license: name: Apache 2.0 identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS +jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS components: schemas: WithDollarSchema: $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS + $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS paths: {} From 574c1775e060d7b622c6b477864bb75806a8dff4 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 14 Jun 2025 21:21:19 +0200 Subject: [PATCH 204/342] Update json_schema_dialect.yaml --- tests/schema/pass/json_schema_dialect.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml index ae0ed863b3..fa054c9b89 100644 --- a/tests/schema/pass/json_schema_dialect.yaml +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: summary: Testing jsonSchemaDialect title: My API @@ -6,10 +6,10 @@ info: license: name: Apache 2.0 identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS components: schemas: WithDollarSchema: $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS + $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS paths: {} From 855824c93657f57d444e8ee2aa3e606a18a5909f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 18 May 2025 09:31:00 -0700 Subject: [PATCH 205/342] Clarify that Request Body Objects need a body We require `content` but failed to require it to be non-empty, even though a request body without a body does not make any sense. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index b41d4e2c39..e91c9cb08a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1198,7 +1198,7 @@ Describes a single request body. | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. The map SHOULD have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From a263d3c1022ca2f9ca6d6f7a184d4bc85ea3e764 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Wed, 2 Apr 2025 17:46:31 -0700 Subject: [PATCH 206/342] improve wording for servers object and url --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index e91c9cb08a..65ebfbbf74 100644 --- a/src/oas.md +++ b/src/oas.md @@ -411,7 +411,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). | $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix G]((#appendix-g-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | -| servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | +| servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be an array consisting of a single [Server Object](#server-object) with a [url](#server-url) value of `/`. | | paths | [Paths Object](#paths-object) | The available paths and operations for the API. | | webhooks | Map[`string`, [Path Item Object](#path-item-object)] | The incoming webhooks that MAY be received as part of this API and that the API consumer MAY choose to implement. Closely related to the `callbacks` feature, this section describes requests initiated other than by an API call, for example by an out of band registration. The key name is a unique string to refer to each webhook, while the (optionally referenced) Path Item Object describes a request that may be initiated by the API provider and the expected responses. An [example](https://learn.openapis.org/examples/v3.1/webhook-example.html) is available. | | components | [Components Object](#components-object) | An element to hold various Objects for the OpenAPI Description. | @@ -723,7 +723,7 @@ The path is appended to the URL from the [Server Object](#server-object) in orde | Field Pattern | Type | Description | | ---- | :----: | ---- | -| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The path is **appended** (no relative URL resolution) to the expanded URL from the [Server Object](#server-object)'s `url` field in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | +| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The path is **appended** (no relative URL resolution) to the resolved and template variable-substituted URL from the [Server Object](#server-object)'s `url` field in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 3d17b0da81f22ab418b07ac96e8550ce1d382b61 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 14:11:26 -0700 Subject: [PATCH 207/342] Add support for application/linkset[+json] These media types solve our long-standing problems with modeling HTTP Link headers. We do not need to define anything beyond noting how to use them media types in a Media Type Ojbect. --- src/oas.md | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/oas.md b/src/oas.md index e91c9cb08a..5a66fcba39 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2451,6 +2451,67 @@ Using `content` with a `text/plain` media type is RECOMMENDED for headers where | ---- | :----: | ---- | | content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | +##### Modeling Link Headers + +[[!RFC9264]] defines the `application/linkset` and `application/linkset+json` media types. +The former is exactly the format of HTTP link header values except allowing additional whitespace for readability, while the latter is an equivalent JSON representation of such headers. + +To use either of these media types, the `schema` in the [Media Type Object](#media-type-object) MUST describe the links as they would be structured in the `application/linkset+json` format. +If the Media Type Object's parent key is `application/linkset+json`, then the serialization is trivial, however this format cannot be used in the HTTP `Link` header. +If the Media Type Object's parent key is `application/linkset`, then the serialization MUST be the equivalent representation of the `schema`-modeled links in the `application/linkset` format. +If the `application/linkset` Media Type Object is used in the `content` field of a Header Object (or a Parameter Object with `in: "header"`), the serialization MUST be made compatible with the HTTP field syntax as described by [[!RFC9264]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc9264.html#name-http-link-document-format-a). + +The following example shows how the same data model can be used for a collection pagination linkset either in JSON format as message content, or in the HTTP `Link` header: + +```yaml +components: + schemas: + SimpleLinkContext: + type: array + items: + type: object + required: + - href + properties: + href: + type: string + format: uri-reference + CollectionLinks: + type: object + required: + - linkset + properties: + linkset: + type: array + items: + type: object + required: [first, prev, next, last] + properties: + anchor: + type: string + format: uri + additionalProperties: + $ref: '#/components/schemas/SimpleLinkContext' + responses: + CollectionWithLinks: + content: + application/json: + schema: + type: array + headers: + Link: + required: true + content: + application/linkset: + schema: + $ref: '#/components/schemas/CollectionLinks' + StandaloneJsonLinkset: + content: + application/linkset+json: + schema: + $ref: '#/components/mediaTypes/CollectionLinks' +``` + ##### Header Object Example A simple header of type `integer`: @@ -4293,6 +4354,7 @@ This will expand to the result: [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. +Other media types, such as `application/linkset` (see [Modeling Link Headers](#modeling-link-headers) are directly suitable for use as `content` for specific headers. In some cases, setting `allowReserved: true` will be sufficient to avoid incorrect encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. From b3002146bdd11eed313626c04390a6ee6e5f7f6e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 20 Jun 2025 18:03:30 -0700 Subject: [PATCH 208/342] Provide guidance for multiple contentType values We allow multiple `contentType` values in the Encoding Object, but do not provide any guidance on how to determine which to use when performing the encoding. This adds such guidance. --- src/oas.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e91c9cb08a..c61edc3738 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1768,10 +1768,19 @@ See [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) for guid Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). +###### Handling Multiple `contentType` Values + +When multiple values are provided for `contentType`, parsing remains straightforward as the part's actual `Content-Type` is included in the document. + +For encoding and serialization, implementations MUST provide a mechanism for applications to indicate which media type is intended. +Implementations MAY choose to offer media type sniffing ([[!SNIFF]]) as an alternative, but this MUST NOT be the default behavior due to the security risks inherent in the process. + +###### `Content-Transfer-Encoding` and `contentEncoding` + Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. -+If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. +If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's`contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. From aa33fdab2499e7ff43f2d8ca6b6895f4ab93e775 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 9 Jun 2025 15:10:44 -0700 Subject: [PATCH 209/342] Support nested Encoding Objects This adds the Media Type Object's encoding field to the Encoding Object to support nested multipart documents. It only requires one level of nesting, but allows implementations to support more. --- src/oas.md | 33 +++++++++++++++++++ src/schemas/validation/schema.yaml | 15 +++++++++ .../fail/encoding-enc-item-exclusion.yaml | 12 +++++++ .../fail/encoding-enc-prefix-exclusion.yaml | 12 +++++++ tests/schema/pass/media-type-examples.yaml | 13 ++++++++ 5 files changed, 85 insertions(+) create mode 100644 tests/schema/fail/encoding-enc-item-exclusion.yaml create mode 100644 tests/schema/fail/encoding-enc-prefix-exclusion.yaml diff --git a/src/oas.md b/src/oas.md index e91c9cb08a..0f0eb10fd9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1641,6 +1641,9 @@ These fields MAY be used either with or without the RFC6570-style serialization | ---- | :----: | ---- | | contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the media type is not a `multipart`. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `encoding` field. | +| prefixEncoding | [[Encoding Object](#encoding-object)] | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `prefixEncoding` field. | +| itemEncoding | [Encoding Object](#encoding-object) | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `itemEncoding` field. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -1674,6 +1677,12 @@ See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-b Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. +##### Nested Encoding + +Nested formats requiring encoding, most notably nested `multipart/mixed`, can be supported with this Object's `encoding`, `prefixEncoding`, and / or `itemEncoding` fields. +Implementations MUST support one level of nesting, and MAY support additional levels. +If supporting additional levels, any limits on nesting levels MUST be documented. + ##### Encoding the `x-www-form-urlencoded` Media Type To work with content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). @@ -1869,6 +1878,30 @@ requestBody: As seen in the [Encoding Object's `contentType` field documentation](#encoding-content-type), the empty schema for `items` indicates a media type of `application/octet-stream`. +###### Example: Nested `multipart/mixed` + +This defines a two-part `multipart/mixed` where the first part is JSON and the second part is a nested `multipart/mixed` document. +The nested parts are JSON, plain text, and a PNG image. + +```yaml +multipart/mixed: + schema: + type: array + prefixItems: + - type: array + - prefixItems: + - type: object + - type: string + - {} + prefixEncoding: + - {} # Accept the default application/json + - contentType: multipart/mixed + prefixEncoding: + - contentType: application/xml + - {} # Accept the default text/plain + - contentType: image/png +``` + #### Responses Object A container for the expected responses of an operation. diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 9990fefb67..d79902c765 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -561,9 +561,24 @@ $defs: allowReserved: default: false type: boolean + encoding: + type: object + additionalProperties: + $ref: '#/$defs/encoding' + prefixEncoding: + type: array + items: + $ref: '#/$defs/encoding' + itemEncoding: + $ref: '#/$defs/encoding' allOf: - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/styles-for-form' + - dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false unevaluatedProperties: false responses: diff --git a/tests/schema/fail/encoding-enc-item-exclusion.yaml b/tests/schema/fail/encoding-enc-item-exclusion.yaml new file mode 100644 index 0000000000..658f848be9 --- /dev/null +++ b/tests/schema/fail/encoding-enc-item-exclusion.yaml @@ -0,0 +1,12 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + prefixEncoding: [] diff --git a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml new file mode 100644 index 0000000000..8f62070d3b --- /dev/null +++ b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml @@ -0,0 +1,12 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + itemEncoding: [] diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index 2ab4e68076..72470f82e0 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -117,6 +117,10 @@ paths: type: string forCoverage2: type: string + nested1: + type: object + nested2: + type: array encoding: addresses: # require XML Content-Type in utf-8 encoding @@ -138,3 +142,12 @@ paths: forCoverage2: style: spaceDelimited explode: true + nested1: + contentType: multipart/form-data + encoding: + inner: {} + nested2: + contentType: multipart/mixed + prefixEncoding: + - {} + itemEncoding: {} From 97d8c945a26badae8dcf2702783912047099692a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 4 Jul 2025 11:17:40 -0700 Subject: [PATCH 210/342] Clarify JSON-compatible YAML and UTF-8 use --- src/oas.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 65ebfbbf74..8878a2d8a0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -169,12 +169,22 @@ The [schema](#schema) exposes two types of fields: _fixed fields_, which have a Patterned fields MUST have unique names within the containing object. -In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with some additional constraints: +**Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. -* Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [[JSON-Schema-2020-12|JSON Schema]]. -* Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). +#### JSON and YAML Compatibility -**Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. +In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). + +Previous versions of this specification expressed this requirement in terms of [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [[JSON-Schema-2020-12|JSON Schema]]. +Despite its name, this ruleset supports features that are not part of JSON, such as distinguishing between integers and floats (see [Data Types](#data-types)) or supporting `!!float .nan` as a value. +OAD authors SHOULD NOT rely on any YAML features supported by YAML's JSON schema ruleset that are listed as having interoperability challenges in RFC9512. + +#### Character Encoding + +Note that as stated in [[RFC8259|JSON]] [Section 8.1](https://www.rfc-editor.org/rfc/rfc8259.html#section-8.1), only JSON encoded using UTF-8 is interoperable, which is extended to JSON-compatible YAML in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). + +This specification assumes that all OADs are encoded using UTF-8. +If an implementation chooses to support additional character encodings, the behavior of any feature relying on the assumption of UTF-8 encoding is implementation-defined. ### OpenAPI Description Structure From 454ba92566ec98a2333b59bd680bee7eebc5b84d Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 5 Jul 2025 13:39:15 -0700 Subject: [PATCH 211/342] Simplify the JSON/YAML stuff We don't really need the stuff about character encodings, as it was there because I was confused about something else. Also minimize the explanation of the change. --- src/oas.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/oas.md b/src/oas.md index 8878a2d8a0..5a9bdbdb55 100644 --- a/src/oas.md +++ b/src/oas.md @@ -175,16 +175,8 @@ Patterned fields MUST have unique names within the containing object. In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). -Previous versions of this specification expressed this requirement in terms of [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [[JSON-Schema-2020-12|JSON Schema]]. -Despite its name, this ruleset supports features that are not part of JSON, such as distinguishing between integers and floats (see [Data Types](#data-types)) or supporting `!!float .nan` as a value. -OAD authors SHOULD NOT rely on any YAML features supported by YAML's JSON schema ruleset that are listed as having interoperability challenges in RFC9512. - -#### Character Encoding - -Note that as stated in [[RFC8259|JSON]] [Section 8.1](https://www.rfc-editor.org/rfc/rfc8259.html#section-8.1), only JSON encoded using UTF-8 is interoperable, which is extended to JSON-compatible YAML in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). - -This specification assumes that all OADs are encoded using UTF-8. -If an implementation chooses to support additional character encodings, the behavior of any feature relying on the assumption of UTF-8 encoding is implementation-defined. +The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. +OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. ### OpenAPI Description Structure From 55ebffb198537f9892c9598509e998d68523d4ef Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 8 Jul 2025 14:30:48 -0700 Subject: [PATCH 212/342] Fix comma usage Co-authored-by: Lorna Jane Mitchell --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 5a66fcba39..685f440f9d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4354,7 +4354,7 @@ This will expand to the result: [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. -Other media types, such as `application/linkset` (see [Modeling Link Headers](#modeling-link-headers) are directly suitable for use as `content` for specific headers. +Other media types, such as `application/linkset` (see [Modeling Link Headers](#modeling-link-headers)), are directly suitable for use as `content` for specific headers. In some cases, setting `allowReserved: true` will be sufficient to avoid incorrect encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. From 32f028cd8c6cd0f30b5f3e90e0dda689ec7e0c4b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 12 Jul 2025 12:34:21 -0700 Subject: [PATCH 213/342] Drop the idea of example overriding Examples at different levels serve different purposes, and it is not clear what is meant by "overriding." Removing this will allow tools to determine the most appropriate example(s) to show in a given context. --- src/oas.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 65ebfbbf74..b619794e94 100644 --- a/src/oas.md +++ b/src/oas.md @@ -982,7 +982,7 @@ Note that while `"Cookie"` as a `name` is not forbidden if `in` is `"header"`, t For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter-style) can describe the structure and syntax of the parameter. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +The `example` and `examples` fields are mutually exclusive. These fields MUST NOT be used with `in: "querystring"`. @@ -1242,7 +1242,7 @@ Each Media Type Object describes content structured in accordance with the media Multiple Media Type Objects can be used to describe content that can appear in any of several different media types. When `example` or `examples` are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +The `example` and `examples` fields are mutually exclusive. See [Working With Examples](#working-with-examples) for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values. ##### Fixed Fields @@ -2118,7 +2118,6 @@ The `examples` array is part of JSON Schema and is the preferred way to include The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter, serialized header, or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). -Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. The singular `example` field in the Parameter, Header, or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. @@ -2429,7 +2428,7 @@ The `allowReserved` field can disable most but not all of this behavior. See [Appendix D](#appendix-d-serializing-headers-and-cookies) for details and further guidance. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +The `example` and `examples` fields are mutually exclusive. | Field Name | Type | Description | | ---- | :----: | ---- | From 866dd895222ec27ee97c480789ae16db697f8eb2 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 17 Jul 2025 08:16:22 -0700 Subject: [PATCH 214/342] Use current form for normative ref Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c61edc3738..e72fad4db6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1773,7 +1773,7 @@ Note that there are significant restrictions on what headers can be used with `m When multiple values are provided for `contentType`, parsing remains straightforward as the part's actual `Content-Type` is included in the document. For encoding and serialization, implementations MUST provide a mechanism for applications to indicate which media type is intended. -Implementations MAY choose to offer media type sniffing ([[!SNIFF]]) as an alternative, but this MUST NOT be the default behavior due to the security risks inherent in the process. +Implementations MAY choose to offer media type sniffing ([[SNIFF]]) as an alternative, but this MUST NOT be the default behavior due to the security risks inherent in the process. ###### `Content-Transfer-Encoding` and `contentEncoding` From ef3e51e4ffae6e896603c7ee695f9b178f9c8e09 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 10:22:53 -0700 Subject: [PATCH 215/342] Move URI/URL resolution under OAD Structure Almost all of our guidance on parsing and resolving OADs is under the section "OpenAPI Description Structure", _except_ for the parts on resolving relative OAD URI and API URL references. Those two sections are further down, after a lengthy discussion of data types. This moves (without any changes except heading levels) those URI/URL resolution sections up with all of the other parsing guidance. I have placed them before the "Implicit Connections" section because those connections are "Implicit" in contrast to URI references, which are explicit. This puts all of the parsing guidance in one place, and properly contextualizes "Implicit Connections" instead of introducing them before the far-more-common URI connections. --- src/oas.md | 114 ++++++++++++++++++++++++++--------------------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/src/oas.md b/src/oas.md index c3b6b33141..b5177070d7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -219,6 +219,63 @@ JSON or YAML objects within an OAD are interpreted as specific Objects (such as If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. +#### Relative References in API Description URIs + +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. +As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. +This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. + +Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. + +Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +##### Establishing the Base URI + +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). + +If `$self` is a relative URI-reference, it is resolved agains the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. + +The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. +Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. +Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. +Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. + +##### Resolving URI fragments + +If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). + +##### Relative URI References in CommonMark Fields + +Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. + +#### Relative References in API URLs + +API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. + +Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +Because the API Is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. +Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. + +##### Examples of API Base URL Determination + +Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: + +```YAML +openapi: 3.2.0 +$self: https://apidescriptions.example.com/foo +info: + title: Example API + version: 1.0 +servers: +- url: . + description: The production API on this device +- url: ./test + description: The test API on this device +``` + +For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. + #### Resolving Implicit Connections Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). @@ -333,63 +390,6 @@ Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. -### Relative References in API Description URIs - -URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. -This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. - -Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. - -Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). - -#### Establishing the Base URI - -Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). - -If `$self` is a relative URI-reference, it is resolved agains the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. - -The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. -Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. -Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. -Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. - -#### Resolving URI fragments - -If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). - -#### Relative URI References in CommonMark Fields - -Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. - -### Relative References in API URLs - -API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. - -Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). - -Because the API Is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. -Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. - -#### Examples of API Base URL Determination - -Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: - -```YAML -openapi: 3.2.0 -$self: https://apidescriptions.example.com/foo -info: - title: Example API - version: 1.0 -servers: -- url: . - description: The production API on this device -- url: ./test - description: The test API on this device -``` - -For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. - ### Schema This section describes the structure of the OpenAPI Description format. From 99e5ce08e60f683d5948fc7423d838eba3e39659 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 13:35:55 -0700 Subject: [PATCH 216/342] Clarify template variable uniqueness This clarifies that variables in both path and server URL templates MUST be unique. This is justified as compatible with our minor release policy on the following grounds: * Due to Parameter Object `name` + `in` constraints and the Server Object's `variables` field being a map, each variable can only map to one paramater or server variable (although the "one" paramater might be defined separately yet uniquely for each Operation). * The Path Templating section uses the phrase "Each template expression in the path MUST correspond to ***a*** path parameter" (emphasis added). * The Parameter Object uses similar language in the other direction: "If in is "path", the name field MUST correspond to ***a*** template expression". * The word "a" is interpreted to mean an unknown but unique thing in both directions. * The Server Object's `url` template has always been assumed to function in an analogous way to path templating. --- src/oas.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c3b6b33141..e41703e3d8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -62,6 +62,8 @@ sub-delims = "!" / "$" / "&" / "'" / "(" / ")" Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). +Each template expression MUST NOT appear more than once in a single path template. + See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. ### Media Types @@ -596,6 +598,8 @@ iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD Here, `literals`, `pct-encoded`, `ucschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570), incorporating the corrections specified in [Errata 6937](https://www.rfc-editor.org/errata/eid6937) for `literals`. +Each server variable MUST NOT appear more than once in the URL template. + See the [Paths Object](#paths-object) for guidance on constructing full request URLs. ##### Fixed Fields @@ -967,7 +971,7 @@ These fields MAY be used with either `content` or `schema`. | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| +| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a single template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| | in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"querystring"`, `"header"`, `"path"` or `"cookie"`. | | description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | From 5cfb332a34140424eb154b104b5267a10f7d2536 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 16:48:11 -0700 Subject: [PATCH 217/342] Fix missing space --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c3b6b33141..bb12953cc2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -309,7 +309,7 @@ Using a `contentEncoding` of `base64url` ensures that URL encoding (as required The `contentMediaType` keyword is redundant if the media type is already set: -* as the key for a [MediaType Object](#media-type-object) +* as the key for a [Media Type Object](#media-type-object) * in the `contentType` field of an [Encoding Object](#encoding-object) If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. From 62d67f385acffa40c98a54b178c9ded55012c9c9 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 16:50:23 -0700 Subject: [PATCH 218/342] Provide parsing and serialization guidance This creates a "Working with Data" section that incorporates the existing "Data Types" section (with some section level adjustments) along with new guidance on mapping different kinds of data between serialized, data, and application forms. This terminology matches the terminology currently being considered for examples. The application form is largely out of scope for the OAS, and is mainly included to clarify this scope while acknowledging that the OAS may influence such things. Most of the new material is on parsing and serializing, briefly addressing JSON as the common case before going into detail on non-JSON data, with examples. This is where the requirements for schema and/or instance inspection/searching are listed. The only additional change is no longer mentioning the property schema in the Encoding Object, in part because with the new `multipart/mixed` support Encoding Objects can be used with arrays as well as objects. --- src/oas.md | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 127 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index c3b6b33141..ee58932668 100644 --- a/src/oas.md +++ b/src/oas.md @@ -257,7 +257,9 @@ The behavior for Discriminator Object non-URI mappings and for the Operation Obj Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. -### Data Types +### Working with Data + +#### Data Types Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): "null", "boolean", "object", "array", "number", "string", or "integer". @@ -267,7 +269,7 @@ JSON Schema keywords and `format` values operate on JSON "instances" which may b Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. -#### Data Type Format +##### Data Type Format As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. @@ -288,7 +290,115 @@ The formats defined by the OAS are: As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. -#### Working with Binary Data +#### Parsing and Serializing + +API data has three forms: + +1. The serialized form, which is either a document of a particular media type, part of an HTTP header value, or part of a URI. +2. The data form, intended for use with a [Schema Object](#schema-object). +3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). + +##### JSON Data + +JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. +The serialized UTF-8 JSON string `{"when": "1985-04-12T23%3A20%3A50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23%3A20%3A50.52`. + +The exact application form is beyond the scope of this specification, as can be shown with the following schema for our JSON instance: + +```yaml +type: object +properties: + when: + type: string + format: date-time +``` + +Some applications might leave the string as a string regardless of programming language, while others might notice the `format` and use it as a `datetime.datetime` instance in Python, or a `java.time.ZonedDateTime` in Java. +This specification only requires that the data is valid according to the schema, and that [annotations](#extended-validation-with-annotations) such as `format` are available in accordance with the JSON Schema specification. + +##### Non-JSON Data + +Non-JSON serializetions can be substantially different from their corresponding data form, and might require several steps to parse. + +To continue our "when" example, if we serialized the object as `application/x-www-form-urlencoded`, it would appear as the ASCII string `when=1985-04-12T23%3A20%3A50.52`. +This example is still straightforward to use as it is all string data, and the only differences from JSON are the URI percent-encoding and the delimiter syntax (`=` instead of JSON punctuation and quoting). + +However, many non-JSON text-based formats can be complex, requiring examination of the appropriate schema(s) in order to correctly parse the text into a schema-ready data structure. +Serializing data into such formats requires either examing the schema-validated data or performing the same schema inspections. + +When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. +These schemas are guaranteed to apply to any instance. + +Due to this limited requirement for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. + +When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, the behavior is implementation-defined. + +As an example of these processes, given these OpenAPI components: + +```yaml +components: + requestBodies: + Form: + content: + application/x-www-form-urlencoded: + schema: + $ref: "#/components/schemas/FormData" + encoding: + extra: + contentType: application/xml + schemas: + FormData: + type: object + properties: + code: + allOf: + - type: string + pattern: "1" + - type: string + pattern: "2" + count: + type: integer + extra: + type: object +``` + +And this request body to parse into its data form: + +```uri +code=1234&count=42&extra=%3Cinfo%3Eabc%3C/info%3E +``` + +We must first search the schema for `properties` or other property-defining keywords, and then use each property schema as a starting point for a search for that property's `type` keyword, as follows (the exact order is implementation-defined): + +* `#/components/requestBodies/Form/content/application~1x-www-form-urlencoded/schema` (initial starting point schema, only `$ref`) +* `#/components/schemas/FormData` (follow `$ref`, found `properties`) +* `#/components/schemas/FormData/properties/code` (starting point schema for `code` property) +* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, but no `type`) +* `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) +* `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) +* `#/components/schemas/FormData/properties/extra` (starting point schema for `count` property, found `type: object`) + +From this, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. +Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. +This means that the data form of this serialization is equivalent to the following JSON object: + +```json +{ + "code": "1234", + "count": 42 + "extra": { + "info": "abc" + } +} +``` + +Serializing this object also requires correlating properties with [Encoding Objects](#encoding-object), and may require inspection to determine a default value of the `contentType` field. +If validated data is not available, the schema inspection process is identical to that shown for parsing. + +In this example, both `code` and `count` are of primitive type and do not appear in the `encoding` field, and are therefore serialized as plain text. +However, the `extra` field is an object, which would by default be serialized as JSON, but the `extra` entry in the `encoding` field tells use to serialize it as XML instead. + +##### Working with Binary Data The OAS can describe either _raw_ or _encoded_ binary data. @@ -316,7 +426,19 @@ If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. -##### Migrating binary descriptions from OAS 3.0 +###### Schema Evaluation and Binary Data + +Few JSON Schema implementations directly support working with binary data, as doing so is not a mandatory part of that specification. + +OAS Implementations that do not have access to a binary-instance-supporting JSON Schema implementation MUST examine schemas and apply them in accordance with [Working with Binary Data](#working-with-binary-data). +When the entire instance is binary, this is straightforward as few keywords are relevant. + +However, `multipart` media types can mix binary and text-based data, leaving implementations with two options for schema evaluations: + +1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). +2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. + +###### Migrating binary descriptions from OAS 3.0 The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: @@ -1639,7 +1761,7 @@ These fields MAY be used either with or without the RFC6570-style serialization | Field Name | Type | Description | | ---- | :----: | ---- | -| contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. | +| contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). The default value depends on the type as shown in the table below. | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the media type is not a `multipart`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 9fb9893fb35b6c3959c29909e09e9d099fa820a3 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 18 Jul 2025 10:16:27 -0700 Subject: [PATCH 219/342] Apply suggestions from code review Co-authored-by: Ralf Handl --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index ee58932668..1488d65946 100644 --- a/src/oas.md +++ b/src/oas.md @@ -318,13 +318,13 @@ This specification only requires that the data is valid according to the schema, ##### Non-JSON Data -Non-JSON serializetions can be substantially different from their corresponding data form, and might require several steps to parse. +Non-JSON serializations can be substantially different from their corresponding data form, and might require several steps to parse. To continue our "when" example, if we serialized the object as `application/x-www-form-urlencoded`, it would appear as the ASCII string `when=1985-04-12T23%3A20%3A50.52`. This example is still straightforward to use as it is all string data, and the only differences from JSON are the URI percent-encoding and the delimiter syntax (`=` instead of JSON punctuation and quoting). However, many non-JSON text-based formats can be complex, requiring examination of the appropriate schema(s) in order to correctly parse the text into a schema-ready data structure. -Serializing data into such formats requires either examing the schema-validated data or performing the same schema inspections. +Serializing data into such formats requires either examining the schema-validated data or performing the same schema inspections. When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. These schemas are guaranteed to apply to any instance. @@ -376,7 +376,7 @@ We must first search the schema for `properties` or other property-defining keyw * `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, but no `type`) * `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) * `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) -* `#/components/schemas/FormData/properties/extra` (starting point schema for `count` property, found `type: object`) +* `#/components/schemas/FormData/properties/extra` (starting point schema for `extra` property, found `type: object`) From this, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. From 5661d71da3190390f0574344407131d624c8a18a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 11:00:06 -0700 Subject: [PATCH 220/342] Expand type guidance and optional further inspection Provide examples of narrowing multiple types, and make it clear that every schema without a `type` keyword allows all types. Also note that implementations MAY go beyond these requirements, but set boundaries on what they can do. --- src/oas.md | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 1488d65946..933658604a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -301,7 +301,7 @@ API data has three forms: ##### JSON Data JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. -The serialized UTF-8 JSON string `{"when": "1985-04-12T23%3A20%3A50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23%3A20%3A50.52`. +The serialized UTF-8 JSON string `{"when": "1985-04-12T23:20:50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23:20:50.52`. The exact application form is beyond the scope of this specification, as can be shown with the following schema for our JSON instance: @@ -328,10 +328,33 @@ Serializing data into such formats requires either examining the schema-validate When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. These schemas are guaranteed to apply to any instance. +When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, and no other findable `type` keyword disambiguates the actual required type, the behavior is implementation-defined. +Schema Objects that do not contain `type` MUST be considered to allow all types, regardless of which other keywords are present (e.g. `maximum` applies to numbers, but _does not_ require the instance to be a number). -Due to this limited requirement for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. +Implementations MAY inspect subschemas or possible reference targets of other keywords such as `oneOf` or `$dynamicRef`, but MUST NOT attempt to resolve ambiguities. +For example, if an implementation opts to inspect `anyOf`, the schema: -When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, the behavior is implementation-defined. +```yaml +anyOf: +- type: number + minimum: 0 +- type: number + maximum: 100 +``` + +unambiguously indicates a numeric type, but the schema: + +```yaml +anyOf: +- type: number +- maximum: 100 +``` + +does not, because the second subschema allows all types. + +Due to these limited requirements for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. + +Recall also that in JSON Schema, keywords that apply to a specific type (e.g. `pattern` applies to strings, `minimum` applies to numbers) _do not_ require or imply that the data will actually be of that type. As an example of these processes, given these OpenAPI components: @@ -352,8 +375,9 @@ components: properties: code: allOf: - - type: string + - type: [string, number] pattern: "1" + minimum: 0 - type: string pattern: "2" count: @@ -373,12 +397,14 @@ We must first search the schema for `properties` or other property-defining keyw * `#/components/requestBodies/Form/content/application~1x-www-form-urlencoded/schema` (initial starting point schema, only `$ref`) * `#/components/schemas/FormData` (follow `$ref`, found `properties`) * `#/components/schemas/FormData/properties/code` (starting point schema for `code` property) -* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, but no `type`) +* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, found `type: [string, number]`) * `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) * `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) * `#/components/schemas/FormData/properties/extra` (starting point schema for `extra` property, found `type: object`) -From this, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. +Note that for `code` we first found an ambiguous `type`, but then found another `type` keyword that ensures only one of the two possibilities is valid. + +From this inspection, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. This means that the data form of this serialization is equivalent to the following JSON object: From 2dc01c938322f6018535ccccfe6b15eecc9c4467 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 11:46:18 -0700 Subject: [PATCH 221/342] Editorial improvements to Appendix E Percent-Encdoing is mind-boggling, make a TL;DR section. Also clarify that `format` has to be enabled to impact validation. --- src/oas.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 985304f993..74cd01c63b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4392,7 +4392,18 @@ For multiple values, `style: "form"` is always incorrect as name=value pairs in _**NOTE:** In this section, the `application/x-www-form-urlencoded` and `multipart/form-data` media types are abbreviated as `form-urlencoded` and `form-data`, respectively, for readability._ Percent-encoding is used in URIs and media types that derive their syntax from URIs. -This process is concerned with three sets of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: +The fundamental rules of percent-encoding are: + +* The set of characters that MUST be encoded varies depending on which version of which specification you use, and (for URIs) in which part of the URI the character appears. +* The way an unencoded `+` character is decoded depends on whether you are using `application/x-www-form-urlencoded` rules or more general URI rules; this is the only time where choice of decoding algorithm can change the outcome. +* Encoding more characters than necessary is always safe in terms of the decoding process, but may produce non-normalized URIs. +* In practice, some systems tolerate or even expect unencoded characters that some or all percent-encoding specifications require to be encoded; this can cause interoperability issues with more strictly compliant implementations. + +The rest of this appendix provides more detailed guidance based on the above rules. + +### Percent-Encoding Character Classes + +This process is concerned with three classes of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: * _unreserved_ characters do not need to be percent-encoded; while it is safe to percent-encode them, doing so produces a URI that is [not normalized](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) * _reserved_ characters either have special behavior in the URI syntax (such as delimiting components) or are reserved for other specifications that need to define special behavior (e.g. `form-urlencoded` defines special behavior for `=`, `&`, and `+`) @@ -4441,7 +4452,7 @@ Note that content-based serialization for `form-data` does not expect or require #### Interoperability with Historical Specifications -In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"`), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. +In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"` when `format` validation is enabled), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. @@ -4451,7 +4462,7 @@ WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-wor WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that [[RFC3986]] forbids. Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. -However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference`. +However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference` (when `format` validation is endabled). ### Decoding URIs and `form-urlencoded` Strings From 5f9ce8e12b666b65df826c0e03b638ed1ac25c96 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 12:32:50 -0700 Subject: [PATCH 222/342] Fix example thanks to review feedback --- src/oas.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0f0eb10fd9..9ebd1d5277 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1880,8 +1880,8 @@ As seen in the [Encoding Object's `contentType` field documentation](#encoding-c ###### Example: Nested `multipart/mixed` -This defines a two-part `multipart/mixed` where the first part is JSON and the second part is a nested `multipart/mixed` document. -The nested parts are JSON, plain text, and a PNG image. +This defines a two-part `multipart/mixed` where the first part is a JSON array and the second part is a nested `multipart/mixed` document. +The nested parts are XML, plain text, and a PNG image. ```yaml multipart/mixed: @@ -1889,7 +1889,8 @@ multipart/mixed: type: array prefixItems: - type: array - - prefixItems: + - type: array + prefixItems: - type: object - type: string - {} From 6869dddb532eec411451ff4afc63ebb5d170a906 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 6 Jun 2025 13:23:50 -0700 Subject: [PATCH 223/342] Add data vs serialized example fields This adds two fields to the Example Object and partially deprecates the existing `value` field. `dataValue` applies to the data that would be passed to schema validation. `serializedValue` (which MUST be a string), like `externalValue`, applies to the serialized form. Guidance is provided that `value` (and the shorthand singluar `example`) are safe for JSON serialization targets and for strings serialized to targets that do not apply further escaping, but are otherwise deprecated due to ambiguous behavior. --- src/oas.md | 66 +++++++++++++++---- src/schemas/validation/schema.yaml | 24 +++++-- .../fail/example-object-old-exclusions.yaml | 10 +++ .../fail/example-object-old-vs-data.yaml | 10 +++ .../fail/example-object-old-vs-ser.yaml | 10 +++ .../fail/example-object-ser-exclusions.yaml | 10 +++ .../schema/pass/example-object-examples.yaml | 3 +- 7 files changed, 116 insertions(+), 17 deletions(-) create mode 100644 tests/schema/fail/example-object-old-exclusions.yaml create mode 100644 tests/schema/fail/example-object-old-vs-data.yaml create mode 100644 tests/schema/fail/example-object-old-vs-ser.yaml create mode 100644 tests/schema/fail/example-object-ser-exclusions.yaml diff --git a/src/oas.md b/src/oas.md index 985304f993..a44dcf4d23 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2101,9 +2101,9 @@ transactionCallback: #### Example Object An object grouping an internal or external example value with basic `summary` and `description` metadata. +The examples can show either data suitable for schema validation, or serialized data as required by the containing [Media Type Object](#media-type-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). This object is typically used in fields named `examples` (plural), and is a [referenceable](#reference-object) alternative to older `example` (singular) fields that do not support referencing or metadata. - -Examples allow demonstration of the usage of properties, parameters and objects within OpenAPI. +The various fields and types of examples are explained in more detail under [Working With Examples](#working-with-examples). ##### Fixed Fields @@ -2111,32 +2111,74 @@ Examples allow demonstration of the usage of properties, parameters and objects | ---- | :----: | ---- | | summary | `string` | Short description for the example. | | description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally represented in JSON or YAML, use a string value to contain the example, escaping where necessary. | -| externalValue | `string` | A URI that identifies the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The `value` field and `externalValue` field are mutually exclusive. See the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| dataValue | Any | An example of the data structure that MUST be valid according to the relevant [Schema Object](#schema-object). If this field is present, `value` MUST be absent. | +| serializedValue | `string` | An example of the serialized form of the value, including encoding and escaping as described under [Validating Examples](#validating-examples). If `dataValue` is present, then this field SHOULD contain the serialization of the given data. Otherwise, it SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. This field SHOULD NOT be used if the serialization format is JSON, as the data form is easier to work with. If this field is present, `value`, and `externalValue` MUST be absent. | +| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue`, and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | This object MAY be extended with [Specification Extensions](#specification-extensions). In all cases, the example value SHOULD be compatible with the schema of its associated value. Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. +See [Validating Examples](#validating-examples) for the exact meaning of "compatible" for each field in this Object. ##### Working with Examples Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). In all three Objects, this is done through the `examples` (plural) field. However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. +We will refer to the singular `example` field in the Parameter, Header, or Media Type Object, which has the same behavior as a single Example Object with only the `value` field, as the "shorthand `example`" field. Each of these fields has slightly different considerations. -The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. -The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. +###### JSON-Compatible and `value`-Safe Examples + +The `value` and the shorthand `example` field are intended to have the same _semantics_ as `serializedValue` (or `externalValue`), while allowing a more convenient _syntax_ when there is no difference between a JSON (or [JSON-compatible YAML](#format)) representation and the final serialized form. +When using this syntax for `application/json` or any `+json` media type, these fields effectively behave like `dataValue`, as the serialization is trivial, and they are safe to use. + +For data that consists of a single string, and a serialization target such as `text/plain` where the string is guaranteed to be serialized without any further escaping, these fields are also safe to use. + +For other serialization targets, the ambiguity of the phrase "naturally be represented in JSON or YAML," as well as past errors in the parameter style examples table, have resulted in inconsistencies in the support and usage of these fields. +In practice, this has resulted in the `value` and shorthand `example` fields having implementation-defined behavior for non-JSON targets; OAD authors SHOULD use other fields to ensure interoperability. + +###### Choosing Which Field(s) to Use + +Keeping in mind the caveats from the previous section, and that the shorthand `example` can be used in place of `value` if there is only one Example Object involved, use the following guidelines to determine which field to use. + +To show an example as it would be validated by a Schema Object: + +* Use the Schema Object's `examples` array (from JSON Schema draft 2020-12) if the intent is to keep the example with the validating schema. + * Use the Schema Object's `example` (singular) only if compatibility with OAS v3.0 or earlier is required. +* Use the Example Object's `dataValue` field if the intent is to associate the example with an example of its serialization, or if it is desirable to maintain it separately from the schema. + * Use the Example Object's `value` field only if compatibility with OAS v3.1 or earlier is needed and the value can be "naturally represented in JSON or YAML" without any changes (such as percent-encoding) between the validation-ready value and the serialized representation. -The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter, serialized header, or within a media type representation. -The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). +To show an example as it would be serialized in order to construct an HTTP/1.1 message: -The singular `example` field in the Parameter, Header, or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +* Use the Example Object's `serializedValue` if the serialization can be represented as a valid Unicode string, and there is no need to demonstrate the exact character encoding to be used. + * Use the string form of `value` only if compatibility with OAS v3.1 or earlier is needed. +* Use the Example Object's `externalValue` for all other values, or if it is desirable to maintain the example separately from the OpenAPI document. + +The `serializedValue` and `externalValue` fields both MUST show the serialized form of the data. +For Media Type Objects, this is a document of the appropriate media type, with any Encoding Object effects applied. +For Parameter and Header Objects using `schema` and `style` rather than a Media Type Object, see [Style Examples](#style-examples) for what constitutes a serialized value. + +###### Criteria for `serializedExample` + +A serialization can be represented as a valid Unicode string in `serializedValue` if any of the following are true of the serialization: + +* It is for a media type that supports a `charset` parameter that indicates a Unicode encoding such as UTF-8, or any valid subset of such an encoding, such as US-ASCII. +* It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding such as UTF-8, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. +* It is for a compound format where all parts meet at least one of the above criteria, e.g. a `multipart/mixed` media type with parts that are `application/json` (a media type that defaults to UTF-8) and `application/xml; charset=utf-8` (a media type with an explicit `charset` parameter). + +For `externalValue`, if the character set is neither explicitly stated nor determined by the format or media type specification, implementations SHOULD assume UTF-8. + +###### Validating Examples + +Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. +For examples that are in schema-ready data form, this is straightforward. -Some examples cannot be represented directly in JSON or YAML. -For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. -With the Example Object, such values can alternatively be handled through the `externalValue` field. +With serialized examples, some formats allow multiple possible valid representations of the same data, including in scenarios noted in [Appendix B](#appendix-b-data-type-conversion). +In some cases, parsing the serialized example and validating the resulting data can eliminate the ambiguity, but in a few cases parsing is also ambiguous. +Therefore, OAD authors are cautioned that validation of certain serialized examples is by necessity a best-effort feature. ##### Example Object Examples diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 9990fefb67..6c034eeb0a 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -641,14 +641,30 @@ $defs: type: string description: type: string + dataValue: true + serializedValue: + type: string value: true externalValue: type: string format: uri-reference - not: - required: - - value - - externalValue + allOf: + - not: + required: + - value + - externalValue + - not: + required: + - value + - dataValue + - not: + required: + - value + - serializedValue + - not: + required: + - serializedValue + - externalValue $ref: '#/$defs/specification-extensions' unevaluatedProperties: false diff --git a/tests/schema/fail/example-object-old-exclusions.yaml b/tests/schema/fail/example-object-old-exclusions.yaml new file mode 100644 index 0000000000..37be07da1c --- /dev/null +++ b/tests/schema/fail/example-object-old-exclusions.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + value: foo + externalValue: https://example.com/foo diff --git a/tests/schema/fail/example-object-old-vs-data.yaml b/tests/schema/fail/example-object-old-vs-data.yaml new file mode 100644 index 0000000000..f52e7feb0e --- /dev/null +++ b/tests/schema/fail/example-object-old-vs-data.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + NoValueWithDataValue: + value: foo + dataValue: foo diff --git a/tests/schema/fail/example-object-old-vs-ser.yaml b/tests/schema/fail/example-object-old-vs-ser.yaml new file mode 100644 index 0000000000..43ba991e4e --- /dev/null +++ b/tests/schema/fail/example-object-old-vs-ser.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + value: foo + serializedValue: foo diff --git a/tests/schema/fail/example-object-ser-exclusions.yaml b/tests/schema/fail/example-object-ser-exclusions.yaml new file mode 100644 index 0000000000..3a6bc01e21 --- /dev/null +++ b/tests/schema/fail/example-object-ser-exclusions.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + serializedValue: foo + externalValue: https://example.com/foo diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml index 61d6b347ee..5971028051 100644 --- a/tests/schema/pass/example-object-examples.yaml +++ b/tests/schema/pass/example-object-examples.yaml @@ -60,4 +60,5 @@ components: examples: jsonFormValue: description: 'The JSON string "json" as a form value' - value: jsonValue=%22json%22 + dataValue: json + serializedValue: jsonValue=%22json%22 From d2a6d082793583fbdb43e09d4fcfeba607285cfb Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 11 Jul 2025 16:58:05 -0700 Subject: [PATCH 224/342] Explain Param and Header example serialization The rules for this have not been clear, and are not always intuitive. This states and explains them directly and ensures that the Style Examples table matches the rules. Unlike past efforts, this provides a rule system regarding what is and is not included, based on a combination of what is produced by RFC6570 (or the nearest RFC6570 equivalent), modified by removing leading delimiters that are not correct for our usage due to differences from the assuptions made by RFC6570. This also shows some uses of the new Example Object fields, including some that would be redundant but are included to clarify the different options; the redundancy is noted in the text. --- src/oas.md | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/src/oas.md b/src/oas.md index 985304f993..d5998deb40 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1030,9 +1030,28 @@ In order to support common ways of serializing simple parameters, a set of `styl See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. +##### Serialization and Examples + +The rules in this section apply to both the Parameter and [Header](#header-object) Objects, both of which use the same mechanisms. + +When showing serialized examples, such as with the [Example Object's](#example-object) `serializedValue` or `externalValue` fields, in most cases the value to show is just the value, with all relevant percent-encoding or other encoding/escaping applied, and also including any delimiters produced by the `style` and `explode` configuration. + +In cases where the name is an inherent part of constructing the serialization, such as the `name=value` pairs produced by `style: "form"` or the combination of `style: "simple", explode: true`, the name and any delimiter between the name and value MUST be included. + +The `matrix` and `label` styles produce a leading delimiter which is always a valid part of the serialization and MUST be included. +The RFC6570 operators corresponding to `style: "form"` produces a leading delimiter of either `?` or `&` depending on the exact syntax used. +As the suitability of either delimiter depends on where in the query string the parameter occurs, as well as whether it is in a URI or in `application/x-www-form-urlencoded` content, this leading delimiter MUST NOT be included in examples of individual parameters or media type documents. +For `in: "cookie", style: "form"`, neither the `&` nor `?` delimiters are ever correct; see [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for more details. + +For headers, the header name MUST NOT be included as part of the serialization, as it is never part of the RFC6570-derived result. +However, names produced by `style: "simple", explode: "true"` are included as they appear within the header value, not as separate headers. +See the [Header Object](#header-object) for special rules for showing examples of the `Set-Cookie` response header, which violates the normal rules for multiple header values. + +The following section illustrates these rules. + ##### Style Examples -Assume a parameter named `color` has one of the following values: +Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: ```js string -> "blue" @@ -1040,13 +1059,12 @@ Assume a parameter named `color` has one of the following values: object -> { "R": 100, "G": 200, "B": 150 } ``` -The following table shows examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. +The following table shows serialized examples, as would be shown with the `serializedValue` field of an Example Object, of the different serializations for each value. * The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field * The behavior of combinations marked _n/a_ is undefined * The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined -* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, each example is shown prefixed with `?` as if it were the only query parameter; see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters -* Note that the `?` prefix is not appropriate for serializing `application/x-www-form-urlencoded` HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the [Encoding Object](#encoding-object) for more information +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters * The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | @@ -1057,14 +1075,14 @@ The following table shows examples, as would be shown with the `example` or `exa | label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 | | simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 | | simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 | -| form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 | -| form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 | -| spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 | +| form | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | +| form | true | color= | color=blue | color=blue&color=black&color=brown | R=100&G=200&B=150 | +| spaceDelimited | false | _n/a_ | _n/a_ | color=blue%20black%20brown | color=R%20100%20G%20200%20B%20150 | | spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 | +| pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| deepObject | true | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | ##### Extending Support for Querystring Formats From 62751e7b2251c366649f27329d3f8c6271633776 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 11 Jul 2025 16:56:39 -0700 Subject: [PATCH 225/342] Parameter and Header example updates This updates for both the new example fields and for examples with `content` --- src/oas.md | 120 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 107 insertions(+), 13 deletions(-) diff --git a/src/oas.md b/src/oas.md index 985304f993..7123ba5562 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1081,7 +1081,7 @@ Two avenues are available for supporting such formats with `in: "querystring"`: A header parameter with an array of 64-bit integer numbers: ```yaml -name: token +name: X-Token in: header description: token to be passed as a header required: true @@ -1091,6 +1091,10 @@ schema: type: integer format: int64 style: simple +examples: + Tokens: + dataValue: [12345678, 90099] + serializedValue: "12345678,90099" ``` A path parameter of a string value: @@ -1102,14 +1106,25 @@ description: username to fetch required: true schema: type: string +examples: + "Edsger Dijkstra": + dataValue: edijkstra + serializedValue: edijkstra + Diṅnāga: + dataValue: diṅnāga + serializedValue: di%E1%B9%85n%C4%81ga +examples: + Al-Khwarizmi: + dataValue: "الخوارزميّ" + serializedValue: "%D8%A7%D9%84%D8%AE%D9%88%D8%A7%D8%B1%D8%B2%D9%85%D9%8A%D9%91" ``` -An optional query parameter of a string value, allowing multiple values by repeating the query parameter: +An optional query parameter of a integer value, allowing multiple values by repeating the query parameter +(Note that we use `"%20"` in place of `" "` (space) because that is how RFC6570 handles it; for guidance on using `+` to represent the space character, see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for more guidance on these escaping options): ```yaml -name: id +name: thing in: query -description: ID of the object to fetch required: false schema: type: array @@ -1117,9 +1132,13 @@ schema: type: string style: form explode: true +examples: + ObjectList: + dataValue: ["one thing", "another thing"] + serializedValue: "thing=one%20thing&thing=another%20thing" ``` -A free-form query parameter, allowing undefined parameters of a specific type: +A free-form query parameter, allowing arbitrary parameters of a `type: "integer"`: ```yaml in: query @@ -1129,9 +1148,16 @@ schema: additionalProperties: type: integer style: form +examples: + Pagination: + dataValue: { + "page": 4, + "pageSize": 50 + } + serializeValue: page=4&pageSize=50 ``` -A complex parameter using `content` to define serialization: +A complex parameter using `content` to define serialization, with multiple levels and types of examples shown to make the example usage options clear — note that `dataValue` is the same at both levels and does not need to be shown in both places in normal usage, but `serializedValue` is different: ```yaml in: query @@ -1148,9 +1174,56 @@ content: type: number long: type: number + examples: + dataValue: { + "lat": 10, + "long": 60 + } + serializedValue: '{"lat":10,"long":60}' +examples: + dataValue: { + "lat": 10, + "long": 60 + } + serializedValue: coordinates=%7B%22lat%22%3A10%2C%22long%22%3A60%7D +``` + +A querystring parameter using regular form encoding, but managed with a Media Type Object. +This shows spaces being handled per the `application/x-www-form-urlencoded` media type rules (encode as `+`) rather than the RFC6570 process (encode as `%20`); see [Appendix E](appendix-e-percent-encoding-and-form-media-types) for further guidance on this distinction. +Examples are shown at both the media type and parameter level to emphasize that, since `application/x-www-form-urlencoded` is suitable for use in query strings by definition, no further encoding or escaping is applied to the serialized media type value: + +```yaml +in: querystring +content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + foo: + type: string + bar: + type: boolean + examples: + spacesAndPluses: + description: Note handling of spaces and "+" per media type. + dataValue: + foo: a + b + bar: true + serializedValue: foo=a+%2B+b&bar=true +examples: + spacesAndPluses: + description: | + Note that no additional percent encoding is done, as this + media type is URI query string-ready by definition. + dataValue: + foo: a + b + bar: true + serializedValue: foo=a+%2B+b&bar=true ``` -A querystring parameter that uses JSON for the entire string (not as a single query parameter value): +A querystring parameter that uses JSON for the entire string (not as a single query parameter value). +The `dataValue` field is shown at both levels to fully illustrate both ways of providing an example. +As seen below, this is redundant and need not be done in practice: ```yaml in: querystring @@ -1158,22 +1231,39 @@ name: json content: application/json: schema: - # Allow an arbitrary JSON object to keep - # the example simple type: object - example: { + properties: + numbers: + type: array + items: + type: integer + flag: + type: [boolean, "null"] + examples: + TwoNoFlag: + description: Serialize with minimized whitespace + dataValue: { + "numbers": [1, 2], + "flag": null + } + serializedValue: '{"numbers":[1,2],"flag":null}' +examples: + TwoNoFlag: + dataValue: { "numbers": [1, 2], "flag": null } + serializedValue: "%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D" ``` -Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from the `example` field (with whitespace minimized) would be: +Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from `serializedValue` would be: ```uri https://example.com/foo?%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D ``` -A querystring parameter that uses JSONPath: +A querystring parameter that uses JSONPath. +Note that in this example we not only do not repeat `dataValue`, but we use the shorthand `example` because the `application/jsonpath` value is a string that, at the media type level, is serialized as-is: ```yaml in: querystring @@ -1183,11 +1273,14 @@ content: schema: type: string example: $.a.b[1:1] +examples: + Selector: + serializedValue: "%24.a.b%5B1%3A1%5D" ``` As there is not, as of this writing, a [registered](#media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. -Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporating the value from the `example` field would be: +Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporating the value from `serializedValue` would be: ```uri https://example.com/foo?%24.a.b%5B1%3A1%5D @@ -2545,6 +2638,7 @@ ETag: schema: type: string pattern: ^" + example: xyzzx ``` #### Tag Object From 6faaed3299ac3b287a9e97c83779e159a003738b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 14:45:39 -0700 Subject: [PATCH 226/342] No new external fields. --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 47d9a16913..d963ba1790 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2174,7 +2174,7 @@ content: ###### Binary Examples -Fully binary data is shown using `serializedDataValue`: +Fully binary data is shown using `externalValue`: ```yaml content: @@ -2182,7 +2182,7 @@ content: schema: {} examples: Red: - serializedDataValue: ./examples/2-by-2-red-pixels.png + externalValue: ./examples/2-by-2-red-pixels.png ``` ###### Boolean Query Parameter Examples From 042e70884b3895811d7354d9923d2b4bd6176670 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 12 Jul 2025 16:36:49 -0700 Subject: [PATCH 227/342] Allow Parameter/Header examples w/content Parameter and Header serialization is complex, particularly when using the `content` field to use a Media Type Object. In such scenarios, the serialization occurs in two steps: The first step is to serialize the data to the media type, which can be captured by the `examples` field of the Media Type Object. The second is the encoding/escaping of the media type document for use in a URI, HTTP header, or other location with its own rules. Sometimes the part needing illustration with an example is at one level, sometimes at another, and sometimes it is helpful to show both. For simplicity, the "data" examples are always treated as the overall input data, so they would be the same at both levels. This is also because it is not always possible to show each step, particularly when there are binary serializations. This allows showing either step (or both steps) with both data and serialization, depending on what makes sense for the use case. --- src/oas.md | 16 +++++++++------- src/schemas/validation/schema.yaml | 7 +++++-- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/oas.md b/src/oas.md index 985304f993..4a379a038b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -968,6 +968,8 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of convertin ###### Common Fixed Fields These fields MAY be used with either `content` or `schema`. +When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. +The `example` and `examples` fields are mutually exclusive. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -977,6 +979,8 @@ These fields MAY be used with either `content` or `schema`. | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | | deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | | allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters.

**Deprecated:** Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | +| example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -985,8 +989,6 @@ Note that while `"Cookie"` as a `name` is not forbidden if `in` is `"header"`, t ###### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter-style) can describe the structure and syntax of the parameter. -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. -The `example` and `examples` fields are mutually exclusive. These fields MUST NOT be used with `in: "querystring"`. @@ -998,8 +1000,6 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | -| example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | -| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. @@ -2423,11 +2423,16 @@ The Header Object follows the structure of the [Parameter Object](#parameter-obj These fields MAY be used with either `content` or `schema`. +When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. +The `example` and `examples` fields are mutually exclusive. + | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the header. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this header is mandatory. The default value is `false`. | | deprecated | `boolean` | Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | +| example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2440,9 +2445,6 @@ Serializing headers with `schema` can be problematic due to the URI percent-enco The `allowReserved` field can disable most but not all of this behavior. See [Appendix D](#appendix-d-serializing-headers-and-cookies) for details and further guidance. -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. -The `example` and `examples` fields are mutually exclusive. - | Field Name | Type | Description | | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 9990fefb67..69d80e216d 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -366,6 +366,8 @@ $defs: - required: - content allOf: + - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' - if: properties: in: @@ -403,7 +405,6 @@ $defs: default: false type: boolean allOf: - - $ref: '#/$defs/examples' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' @@ -474,7 +475,6 @@ $defs: default: form const: form - $ref: '#/$defs/specification-extensions' unevaluatedProperties: false parameter-or-reference: @@ -733,6 +733,9 @@ $defs: type: boolean $ref: '#/$defs/examples' $ref: '#/$defs/specification-extensions' + allOf: + - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' unevaluatedProperties: false header-or-reference: From a0502e7fba00219797b036778d827afbbec11ac0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 15:07:11 -0700 Subject: [PATCH 228/342] No new external fields for the Example Object --- src/oas.md | 49 ++++++++++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/src/oas.md b/src/oas.md index 1d162e06ee..afdad29e74 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3274,7 +3274,7 @@ For examples using `attribute` or `wrapped`, please see version 3.1 of the OpenA ###### No XML Object -Basic string property without an XML Object, using `serializedValue` (the remaining examples will use `externalSerializedValue` so that the XML form can be shown with syntax highlighting): +Basic string property without an XML Object, using `serializedValue` (the remaining examples will use `externalValue` so that the XML form can be shown with syntax highlighting): ```yaml application/xml: @@ -3312,7 +3312,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3342,7 +3342,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3386,7 +3386,7 @@ components: dataValue: id: 123 name: example - externalSerializedValue: ./examples/Person.xml + externalValue: ./examples/Person.xml ``` Where `./examples/Person.xml` would be: @@ -3418,7 +3418,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3452,7 +3452,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3484,7 +3484,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3520,7 +3520,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3557,7 +3557,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3592,7 +3592,7 @@ application/xml: pets: dataValue: animals: [dog, cat, hamster] - externalSerializedValue: ./examples/pets.xml + externalValue: ./examples/pets.xml ``` Where `./examples/pets.xml` would be: @@ -3671,7 +3671,7 @@ components: docs: dataValue: content: Awesome Docs - externalSerializedValue: ./examples/docs.xml + externalValue: ./examples/docs.xml ``` Where `./examples/docs.xml` would be: @@ -3682,7 +3682,7 @@ Where `./examples/docs.xml` would be: ``` -Alternatively, the named root element could be set at the point of use and the root element disabled on the component: +Alternatively, the named root element could be set at the point of use and the root element disabled on the component (note that in this example, the same `dataValue` is used in two places with different serializations shown with `externalValue`): ```yaml paths: @@ -3699,8 +3699,10 @@ paths: $ref: "#/components/schemas/Documentation" examples: stored: - externalDataValue: ./examples/content.json - externalSerializedValue: ./examples/stored.xml + dataValue: { + "content": "Awesome Docs" + } + externalValue: ./examples/stored.xml put: requestBody: required: true @@ -3713,8 +3715,10 @@ paths: $ref: "#/components/schemas/Documentation" examples: updated: - externalDataValue: ./examples/content.json - externalSerializedValue: ./examples/updated.xml + dataValue: { + "content": "Awesome Docs" + } + externalValue: ./examples/updated.xml responses: "201": {} components: @@ -3733,11 +3737,6 @@ components: where `./examples/content.json` would be: -```json -{ - "content": "Awesome Docs" -} -``` `./examples/stored.xml` would be: @@ -3806,7 +3805,7 @@ application/xml: }, null ] - externalSerializedValue: ./examples/OneTwoThree.xml + externalValue: ./examples/OneTwoThree.xml ``` Where `./examples/OneTwoThree.xml` would be: @@ -3845,7 +3844,7 @@ application/xml: 42, "Some postamble text." ] - externalSerializedValue: ./examples/Report.xml + externalValue: ./examples/Report.xml ``` Where `./examples/Report.xml` would be: @@ -3894,14 +3893,14 @@ examples: "description": "Thing", "related": null } - externalSerializedValue: ./examples/productWithNulls.xml + externalValue: ./examples/productWithNulls.xml productNoNulls: dataValue: { "count": 42, "description: "Thing" "related": {} } - externalSerializedValue: ./examples/productNoNulls.xml + externalValue: ./examples/productNoNulls.xml ``` Where `./examples/productWithNulls.xml` would be: From 7c98128aeb04de79caf03ac47de4ce4aaf62ef85 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 23 Jun 2025 13:46:33 -0700 Subject: [PATCH 229/342] Provide guidance for Set-Cookie The Set-Cookie response header breaks the normal rules for headers with multiple values and requires special handling. --- src/oas.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/src/oas.md b/src/oas.md index 985304f993..ec8149786e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2524,6 +2524,72 @@ components: $ref: '#/components/mediaTypes/CollectionLinks' ``` +##### Representing the `Set-Cookie` Header + +As noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) the `Set-Cookie` response header violates the requirements for representing multiple values as a comma-separated list, as `style: "simple"` produces. + +```http +Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT +Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT +``` + +If these values were to be place on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. +While the two dates (`09...`) are not valid `Set-Cookie` values on their own, [[?RFC6265]] does not provide any guarantee that all such embedded uses of commas will produce detectable errors when split in this way. + +RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie` as follows: + +For the `Set-Cookie` response header _**only**_, `style: "simple"` MUST be treated as producing a newline-delimited list instead of a comma-separated list, with each line corresponding to the value of a single `Set-Cookie:` header field. +This newline-delimited format MUST be used whenever a string representing the values is required, including in the [Example Object's](#example-object) serialized example fields, and when using `content` with a `text/plain` [Media Type Object](#media-type-object) as is necessary to prevent percent-encoding whitespace. + +The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`. The first uses `content` to preserve the necessary whitespace in the `"Expires"` cookie attribute, while the second shows the use of `style: "simple"` and forbids whitespace to ensure that values work with this serialization approach: + +```yaml +components: + headers: + SetCookieWithExpires: + # Spaces within the Expires values prevent the use of `schema` and + # `style` as they would be percent-encoded, even with `allowReserved`. + content: + text/plain: + schema: + type: string + allOf: + - pattern: "^lang=[^;];.*Expires=" + - pattern: "^foo=[^;];.*Expires=" + examples: + WithExpires: + # This demonstrates that the text is required to be provided + # in the final format, and is not changed by serialization. + # In practice, it is not necessary to show both fields here. + dataValue: | + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + serializedValue: | + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + SetCookieWithNoSpaces: + schema: + type: object + required: + - lang + - foo + additionalProperties: + type: string + pattern: "^[^[:space:]]$" + style: simple + explode: true + allowReserved: true # "=", ";", and " " are reserved + examples: + SetCookies: + dataValue: { + "lang": "en-US", + "foo": "bar" + } + serializedValue: | + lang=en-US + foo=bar +``` + ##### Header Object Example A simple header of type `integer`: From d2d0badc9ba9002be3f70890336197a805e9000f Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 30 Jun 2025 10:14:03 -0700 Subject: [PATCH 230/342] Fix typo Co-authored-by: Phil Sturgeon <67381+philsturgeon@users.noreply.github.com> --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index ec8149786e..3bf14fdf8b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2533,7 +2533,7 @@ Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT ``` -If these values were to be place on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. +If these values were to be placed on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. While the two dates (`09...`) are not valid `Set-Cookie` values on their own, [[?RFC6265]] does not provide any guarantee that all such embedded uses of commas will produce detectable errors when split in this way. RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie` as follows: From 1323840093d84d871b6ac5b6aa3510b2f1f77f89 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 4 Jul 2025 09:52:17 -0700 Subject: [PATCH 231/342] Explain when Set-Cookie workaround is needed Also remove a stray line from an example that didn't really hurt but wasn't needed and could have been confusing. --- src/oas.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 3bf14fdf8b..9711bda9d9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2536,7 +2536,11 @@ Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT If these values were to be placed on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. While the two dates (`09...`) are not valid `Set-Cookie` values on their own, [[?RFC6265]] does not provide any guarantee that all such embedded uses of commas will produce detectable errors when split in this way. -RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie` as follows: +RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie`. + +When an OAS implementation is mapping directly between the multi-`Set-Cookie:` header line format and an array representation, without any intermediate single string holding the multiple values, no special handling is needed as the behavior is the same as for headers that can be either on a single line with comma-separated values or on multiple lines. + +However, if a multi-value text representation is needed, such as for a `text/plain` representation (using the `content` field) or in an Example Object, the following special handling is required: For the `Set-Cookie` response header _**only**_, `style: "simple"` MUST be treated as producing a newline-delimited list instead of a comma-separated list, with each line corresponding to the value of a single `Set-Cookie:` header field. This newline-delimited format MUST be used whenever a string representing the values is required, including in the [Example Object's](#example-object) serialized example fields, and when using `content` with a `text/plain` [Media Type Object](#media-type-object) as is necessary to prevent percent-encoding whitespace. @@ -2578,7 +2582,6 @@ components: pattern: "^[^[:space:]]$" style: simple explode: true - allowReserved: true # "=", ";", and " " are reserved examples: SetCookies: dataValue: { From 8d618d140e32b67f41366c3ab012ccc9c08ba87a Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Tue, 8 Jul 2025 14:33:45 -0700 Subject: [PATCH 232/342] Better wording and grammar Co-authored-by: Lorna Jane Mitchell --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9711bda9d9..75ca83972c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2536,7 +2536,7 @@ Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT If these values were to be placed on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. While the two dates (`09...`) are not valid `Set-Cookie` values on their own, [[?RFC6265]] does not provide any guarantee that all such embedded uses of commas will produce detectable errors when split in this way. -RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly special-cases its handling of `Set-Cookie`. +RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly applies a special case to its handling of `Set-Cookie`. When an OAS implementation is mapping directly between the multi-`Set-Cookie:` header line format and an array representation, without any intermediate single string holding the multiple values, no special handling is needed as the behavior is the same as for headers that can be either on a single line with comma-separated values or on multiple lines. From 5a76ba6d94ea6660d48236bb2c4e950d268305f4 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 4 Jul 2025 09:52:17 -0700 Subject: [PATCH 233/342] Revamp with more examples and less explanation Explain when Set-Cookie workaround is needed Also remove a stray line from an example that didn't really hurt but wasn't needed and could have been confusing. --- src/oas.md | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/src/oas.md b/src/oas.md index 75ca83972c..10646a8a6b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2526,24 +2526,27 @@ components: ##### Representing the `Set-Cookie` Header -As noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) the `Set-Cookie` response header violates the requirements for representing multiple values as a comma-separated list, as `style: "simple"` produces. +The `Set-Cookie` header is noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) as an exception to the normal rules of headers with multiple values. + +For most headers using the general syntax defined in RFC9110, the multiple-line and comma-separaed single-line forms are interchangeable, meaning that this: ```http -Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT -Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT +Accept-Encoding: compress;q=0.5 +Accept-Encoding: gzip;q=1.0 ``` -If these values were to be placed on a single line using `style: "simple"`, the result would be `lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT,foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT`, which when split would then produce four values: `lang=en-US; Expires=Wed`, `09 Jun 2021 10:18:14 GMT`, `foo=bar; Expires=Wed`, and `09 Jun 2021 10:18:14 GMT`. -While the two dates (`09...`) are not valid `Set-Cookie` values on their own, [[?RFC6265]] does not provide any guarantee that all such embedded uses of commas will produce detectable errors when split in this way. +is interchangeable with the one-line form that works well with the OAS's `style: "simple"` option: -RFC9110 therefore advises recipients to 'handle "Set-Cookie" as a special case while processing fields,' so the OAS similarly applies a special case to its handling of `Set-Cookie`. +```http +Accept-Encoding: compress;q=0.5,gzip;q=1.0 +``` -When an OAS implementation is mapping directly between the multi-`Set-Cookie:` header line format and an array representation, without any intermediate single string holding the multiple values, no special handling is needed as the behavior is the same as for headers that can be either on a single line with comma-separated values or on multiple lines. +The OAS models such multi-value headers using the one-line form as it matches the behavior of `style: "simple"`, and works well when using `content` as the values are completely separate from the header name, but it does not matter which form is used in an actual HTTP message. -However, if a multi-value text representation is needed, such as for a `text/plain` representation (using the `content` field) or in an Example Object, the following special handling is required: +As also noted in the RFC, `Set-Cookie` is an exception as it allows unquoted, non-escaped commas in its values, and can only use the one-value-per-line form. +For HTTP messages, this is purely a serialization concern, and no more of a problem than a message that uses the multi-line form of any other header. -For the `Set-Cookie` response header _**only**_, `style: "simple"` MUST be treated as producing a newline-delimited list instead of a comma-separated list, with each line corresponding to the value of a single `Set-Cookie:` header field. -This newline-delimited format MUST be used whenever a string representing the values is required, including in the [Example Object's](#example-object) serialized example fields, and when using `content` with a `text/plain` [Media Type Object](#media-type-object) as is necessary to prevent percent-encoding whitespace. +However, because examples and values modeled with `content` do not incorporate the header name, for these fields `Set-Cookie` MUST be handled by placing each value on a separate line, without the header name or the `:` delimiter. The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`. The first uses `content` to preserve the necessary whitespace in the `"Expires"` cookie attribute, while the second shows the use of `style: "simple"` and forbids whitespace to ensure that values work with this serialization approach: @@ -2564,7 +2567,7 @@ components: WithExpires: # This demonstrates that the text is required to be provided # in the final format, and is not changed by serialization. - # In practice, it is not necessary to show both fields here. + # In practice, it is not necessary to show both value fields. dataValue: | lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT @@ -2593,6 +2596,20 @@ components: foo=bar ``` +In an HTTP message, the serialized example with Expires would look like: + +```http +Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GM +Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT +``` + +and the example without Expires would look like: + +```http +Set-Cookie: lang=en-US +Set-Cookie: foo=bar +``` + ##### Header Object Example A simple header of type `integer`: From f4927bfaec34350a844d97dc7bffeec8c0933593 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 19 Jul 2025 08:57:46 -0700 Subject: [PATCH 234/342] Apply suggestions from code review Co-authored-by: Ralf Handl --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 7123ba5562..0aa31c0dee 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1119,7 +1119,7 @@ examples: serializedValue: "%D8%A7%D9%84%D8%AE%D9%88%D8%A7%D8%B1%D8%B2%D9%85%D9%8A%D9%91" ``` -An optional query parameter of a integer value, allowing multiple values by repeating the query parameter +An optional query parameter of a string value, allowing multiple values by repeating the query parameter (Note that we use `"%20"` in place of `" "` (space) because that is how RFC6570 handles it; for guidance on using `+` to represent the space character, see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for more guidance on these escaping options): ```yaml @@ -1138,7 +1138,7 @@ examples: serializedValue: "thing=one%20thing&thing=another%20thing" ``` -A free-form query parameter, allowing arbitrary parameters of a `type: "integer"`: +A free-form query parameter, allowing arbitrary parameters of `type: "integer"`: ```yaml in: query From a7c9c0c34b486bfa7c9f60f5455e940c41ad38be Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 10:36:43 -0700 Subject: [PATCH 235/342] Review feedback and maintainability Let's only explain the validation requirements in one place. Also, header example fields were supposed to be moved rather than duplicatd but I missed the removal of the old ones. --- src/oas.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4a379a038b..57251555cc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -968,8 +968,8 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of convertin ###### Common Fixed Fields These fields MAY be used with either `content` or `schema`. -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. -The `example` and `examples` fields are mutually exclusive. + +The `example` and `examples` fields are mutually exclusive; see [Working with Examples](#working-with-examples) for guidance on validation requirements. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2423,8 +2423,7 @@ The Header Object follows the structure of the [Parameter Object](#parameter-obj These fields MAY be used with either `content` or `schema`. -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. -The `example` and `examples` fields are mutually exclusive. +The `example` and `examples` fields are mutually exclusive; see [Working with Examples](#working-with-examples) for guidance on validation requirements. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2439,7 +2438,6 @@ This object MAY be extended with [Specification Extensions](#specification-exten ###### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. -When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. Serializing headers with `schema` can be problematic due to the URI percent-encoding that is automatically applied, which would percent-encode characters such as `;` that are used to separate primary header values from their parameters. The `allowReserved` field can disable most but not all of this behavior. @@ -2451,8 +2449,6 @@ See [Appendix D](#appendix-d-serializing-headers-and-cookies) for details and fu | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | | allowReserved | `boolean` | When this is true, header values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). See [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for guidance on header encoding and escaping. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the header. | -| example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | -| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. From dfbda977f1c445ecff380acf3f35d0be92a84735 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 10:39:07 -0700 Subject: [PATCH 236/342] Remove redundant $ref --- src/schemas/validation/schema.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 69d80e216d..fc519c6a97 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -732,7 +732,6 @@ $defs: default: false type: boolean $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' allOf: - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' From 5620635503689ecc771b3af8c422344659d09468 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 10:47:21 -0700 Subject: [PATCH 237/342] Fix ETag example. --- src/oas.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 0aa31c0dee..b1e36220aa 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2637,8 +2637,12 @@ ETag: text/plain: schema: type: string + # Note that quotation markes are part of the + # ETag value, unlike many other headers that + # use a quoted string purely for managing + # reserved characters. pattern: ^" - example: xyzzx + example: '"xyzzy"' ``` #### Tag Object From 30b2c04e95fba2418075b1412e8767a9d24f0fed Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 19 Jul 2025 11:11:25 -0700 Subject: [PATCH 238/342] Fix missing word Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index a44dcf4d23..498051a06c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2113,7 +2113,7 @@ The various fields and types of examples are explained in more detail under [Wor | description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | dataValue | Any | An example of the data structure that MUST be valid according to the relevant [Schema Object](#schema-object). If this field is present, `value` MUST be absent. | | serializedValue | `string` | An example of the serialized form of the value, including encoding and escaping as described under [Validating Examples](#validating-examples). If `dataValue` is present, then this field SHOULD contain the serialization of the given data. Otherwise, it SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. This field SHOULD NOT be used if the serialization format is JSON, as the data form is easier to work with. If this field is present, `value`, and `externalValue` MUST be absent. | -| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue`, and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue`, and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | | value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 5d5ea9ff72003546d3ae78ee23ef1bb669abd121 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 11:17:34 -0700 Subject: [PATCH 239/342] Review feedback. --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 498051a06c..70c7efc5de 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2114,7 +2114,7 @@ The various fields and types of examples are explained in more detail under [Wor | dataValue | Any | An example of the data structure that MUST be valid according to the relevant [Schema Object](#schema-object). If this field is present, `value` MUST be absent. | | serializedValue | `string` | An example of the serialized form of the value, including encoding and escaping as described under [Validating Examples](#validating-examples). If `dataValue` is present, then this field SHOULD contain the serialization of the given data. Otherwise, it SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. This field SHOULD NOT be used if the serialization format is JSON, as the data form is easier to work with. If this field is present, `value`, and `externalValue` MUST be absent. | | externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue`, and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | -| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | +| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2165,7 +2165,7 @@ For Parameter and Header Objects using `schema` and `style` rather than a Media A serialization can be represented as a valid Unicode string in `serializedValue` if any of the following are true of the serialization: -* It is for a media type that supports a `charset` parameter that indicates a Unicode encoding such as UTF-8, or any valid subset of such an encoding, such as US-ASCII. +* It is for a media type that supports a `charset` parameter that indicates any Unicode encoding (UTF-8, UTF-16, etc.), or any valid subset of such an encoding, such as US-ASCII. * It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding such as UTF-8, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. * It is for a compound format where all parts meet at least one of the above criteria, e.g. a `multipart/mixed` media type with parts that are `application/json` (a media type that defaults to UTF-8) and `application/xml; charset=utf-8` (a media type with an explicit `charset` parameter). From 678cec6bdcba8cc6c4c31b5db2df9e43cc3141f7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 11:39:32 -0700 Subject: [PATCH 240/342] Further serialization and Unicode guidance. --- src/oas.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 70c7efc5de..8dc1f9450c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2166,9 +2166,11 @@ For Parameter and Header Objects using `schema` and `style` rather than a Media A serialization can be represented as a valid Unicode string in `serializedValue` if any of the following are true of the serialization: * It is for a media type that supports a `charset` parameter that indicates any Unicode encoding (UTF-8, UTF-16, etc.), or any valid subset of such an encoding, such as US-ASCII. -* It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding such as UTF-8, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. +* It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. * It is for a compound format where all parts meet at least one of the above criteria, e.g. a `multipart/mixed` media type with parts that are `application/json` (a media type that defaults to UTF-8) and `application/xml; charset=utf-8` (a media type with an explicit `charset` parameter). +In all of these cases, the conversion from the character set of the OAD (presumed to be UTF-8 as the only interoperable character set for JSON, an therefore also for JSON-compatible YAML as noted in [[RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#section-3.4)) first to Unicode code points and then to the actual serialization character set is well-defined. + For `externalValue`, if the character set is neither explicitly stated nor determined by the format or media type specification, implementations SHOULD assume UTF-8. ###### Validating Examples From 747ccc892765a6a94eeb32e9463abe8d04feed00 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 11:53:02 -0700 Subject: [PATCH 241/342] Allow Media Type Object re-use Add the Media Type Object to the Components Object, and allow a Reference Object anywhere it is allowed. To ensure that re-usable Objects can be documented clearly, add a `description` field. --- src/oas.md | 9 +++++---- src/schemas/validation/schema.yaml | 20 ++++++++++++++++++-- tests/schema/pass/media-type-examples.yaml | 14 ++++++++++++-- 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index d0c355d0a3..f6cd2eb28f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -633,6 +633,7 @@ All objects defined within the Components Object will have no effect on the API | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | | pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | +| mediaTypes | Map[`string`, [Media Type Objects](#media-type-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Media Type Objects](#media-type-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -1014,7 +1015,7 @@ For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [E | Field Name | Type | Description | | ---- | :----: | ---- | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | ##### Style Values @@ -1204,7 +1205,7 @@ Describes a single request body. | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. The map SHOULD have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. The map SHOULD have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -1944,7 +1945,7 @@ Describes a single response from an API operation, including design-time, static | summary | `string` | A short summary of the meaning of the response. | | description | `string` | A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -2445,7 +2446,7 @@ Using `content` with a `text/plain` media type is RECOMMENDED for headers where | Field Name | Type | Description | | ---- | :----: | ---- | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | ##### Modeling Link Headers diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 9990fefb67..f94a73dfec 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -199,8 +199,12 @@ $defs: type: object additionalProperties: $ref: '#/$defs/path-item' + mediaTypes: + type: object + additionalProperties: + $ref: '#/$defs/media-type-or-reference' patternProperties: - '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': + '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected propertyNames: pattern: '^[a-zA-Z0-9._-]+$' @@ -517,7 +521,7 @@ $defs: $comment: https://spec.openapis.org/oas/v3.2#fixed-fields-10 type: object additionalProperties: - $ref: '#/$defs/media-type' + $ref: '#/$defs/media-type-or-reference' propertyNames: format: media-range @@ -525,6 +529,8 @@ $defs: $comment: https://spec.openapis.org/oas/v3.2#media-type-object type: object properties: + description: + type: string schema: $dynamicRef: '#meta' itemSchema: @@ -538,6 +544,16 @@ $defs: - $ref: '#/$defs/examples' unevaluatedProperties: false + media-type-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/media-type' + encoding: $comment: https://spec.openapis.org/oas/v3.2#encoding-object type: object diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index 2ab4e68076..0a4ef9cb0f 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -3,6 +3,15 @@ openapi: 3.2.0 info: title: API version: 1.0.0 +components: + mediaTypes: + StreamingPets: + description: | + Streaming sequence of JSON pet representations, + suitable for use with any of the streaming JSON + media types. + itemSchema: + $ref: '#components/schemas/Pet' paths: /something: put: @@ -31,8 +40,9 @@ paths: frog: $ref: '#/components/examples/frog-example' application/jsonl: - itemSchema: - $ref: '#components/schemas/Pet' + $ref: '#/components/mediaTypes/StreamingPets' + application/x-ndjson: + $ref: '#/components/mediaTypes/StreamingPets' application/xml: schema: type: object From f88dc0ddb6546a6375c13ec44abd5670e762b531 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 19 Jul 2025 13:46:18 -0700 Subject: [PATCH 242/342] Fix typo Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 8dc1f9450c..1c91e21de3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2169,7 +2169,7 @@ A serialization can be represented as a valid Unicode string in `serializedValue * It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. * It is for a compound format where all parts meet at least one of the above criteria, e.g. a `multipart/mixed` media type with parts that are `application/json` (a media type that defaults to UTF-8) and `application/xml; charset=utf-8` (a media type with an explicit `charset` parameter). -In all of these cases, the conversion from the character set of the OAD (presumed to be UTF-8 as the only interoperable character set for JSON, an therefore also for JSON-compatible YAML as noted in [[RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#section-3.4)) first to Unicode code points and then to the actual serialization character set is well-defined. +In all of these cases, the conversion from the character set of the OAD (presumed to be UTF-8 as the only interoperable character set for JSON, and therefore also for JSON-compatible YAML as noted in [[RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#section-3.4)) first to Unicode code points and then to the actual serialization character set is well-defined. For `externalValue`, if the character set is neither explicitly stated nor determined by the format or media type specification, implementations SHOULD assume UTF-8. From ec1e510b30655718974c25ccd9df3955a5ec484d Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 19 Jul 2025 14:15:14 -0700 Subject: [PATCH 243/342] Fix inadvertent plural Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f6cd2eb28f..43b8724f08 100644 --- a/src/oas.md +++ b/src/oas.md @@ -633,7 +633,7 @@ All objects defined within the Components Object will have no effect on the API | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | | pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | -| mediaTypes | Map[`string`, [Media Type Objects](#media-type-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Media Type Objects](#media-type-object). | +| mediaTypes | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Media Type Objects](#media-type-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). From 767bdaf5ab609be93539ff363651e6cac14fc87f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 19 Jul 2025 15:20:20 -0700 Subject: [PATCH 244/342] Remove documentation requirement --- src/oas.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9ebd1d5277..ab75857cce 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1681,7 +1681,6 @@ The absence of all three of those fields is the equivalent of using `content`, b Nested formats requiring encoding, most notably nested `multipart/mixed`, can be supported with this Object's `encoding`, `prefixEncoding`, and / or `itemEncoding` fields. Implementations MUST support one level of nesting, and MAY support additional levels. -If supporting additional levels, any limits on nesting levels MUST be documented. ##### Encoding the `x-www-form-urlencoded` Media Type From 459e5bb6f1df55906c47ed0f3bbb66ae115b8173 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Sun, 20 Jul 2025 06:36:15 -0700 Subject: [PATCH 245/342] Schema updates for #4339 --- src/schemas/validation/meta.yaml | 2 ++ tests/schema/pass/mega.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 52f5ea2ed0..0b4e44887b 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -29,6 +29,8 @@ $defs: additionalProperties: type: string type: object + defaultMapping: + type: object propertyName: type: string required: diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 3e57fb9144..e7b218b0e5 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -55,6 +55,9 @@ components: propertyName: type mapping: foo: Foo + defaultMapping: + not: + required: ['type'] x-extension: true anyOf: - $ref: "#/components/schemas/Foo" From af2a5a83269aa036e95bf5f00848f1cf08f54e3d Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sun, 20 Jul 2025 08:32:17 -0700 Subject: [PATCH 246/342] Fix grammar Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index d5998deb40..19d1727401 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1039,7 +1039,7 @@ When showing serialized examples, such as with the [Example Object's](#example-o In cases where the name is an inherent part of constructing the serialization, such as the `name=value` pairs produced by `style: "form"` or the combination of `style: "simple", explode: true`, the name and any delimiter between the name and value MUST be included. The `matrix` and `label` styles produce a leading delimiter which is always a valid part of the serialization and MUST be included. -The RFC6570 operators corresponding to `style: "form"` produces a leading delimiter of either `?` or `&` depending on the exact syntax used. +The RFC6570 operators corresponding to `style: "form"` produce a leading delimiter of either `?` or `&` depending on the exact syntax used. As the suitability of either delimiter depends on where in the query string the parameter occurs, as well as whether it is in a URI or in `application/x-www-form-urlencoded` content, this leading delimiter MUST NOT be included in examples of individual parameters or media type documents. For `in: "cookie", style: "form"`, neither the `&` nor `?` delimiters are ever correct; see [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for more details. From 62d56f017716897fa6438aaacb75afbf25164c09 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 20 Jun 2025 18:03:03 -0700 Subject: [PATCH 247/342] Support ordered multipart including streaming This adds support for all `multipart` media types that do not have named parts, including support for streaming such media types. Note that `multipart/mixed` defines the basic processing rules for all `multipart` types, and implementations that encounter unrecognized `multipart` subtypes are required to process them as `multipart/mixed`. Therefore support for `multipart/mixed` addresses all other subtypes to some degree. This builds on the recent support for sequential media types: * `multipart/mixed` and similar meet the definition for a sequential media type, requiring it to be modeled as an array. This does use an expansive definition of "repeating the same structure", where the structure is literally any content with a media type. * As a sequential media type, it also supports `itemSchema` * Adding a parallel `itemEncoding` is the obvious solution to `multipart/mixed` streams requiring an Encoding Object * We have regularly received requests to support truly mixed `multipart/mixed` payloads, and previously claimed such support from 3.0.0 onwards, without actually supporting it. Adding `prefixEncoding` along with `itemEncoding` supports this use case with a clear parallel to `prefixItems`, which is the schema construct needed to support this case. * There is no need for a `prefixSchema` field because the streaming use case requires a repetition of the same schema for each item. Therefore all mixed use cases can use `schema` and `prefixItems` --- src/oas.md | 53 ++++++++++++++----- src/schemas/validation/schema.yaml | 13 ++++- .../fail/media-type-enc-item-exclusion.yaml | 10 ++++ .../fail/media-type-enc-prefix-exclusion.yaml | 10 ++++ tests/schema/pass/media-type-examples.yaml | 10 ++++ 5 files changed, 81 insertions(+), 15 deletions(-) create mode 100644 tests/schema/fail/media-type-enc-item-exclusion.yaml create mode 100644 tests/schema/fail/media-type-enc-prefix-exclusion.yaml diff --git a/src/oas.md b/src/oas.md index e5b3752bc5..7db032f164 100644 --- a/src/oas.md +++ b/src/oas.md @@ -103,14 +103,18 @@ Some examples of sequential media types (including some that are not IANA-regist application/json-seq application/geo+json-seq text/event-stream + multipart/mixed ``` In the first three above, the repeating structure is any [JSON value](https://tools.ietf.org/html/rfc8259#section-3). -The fourth repeats `application/geo+json`-structured values, while the last repeats a custom text format related to Server-Sent Events. +The fourth repeats `application/geo+json`-structured values, while `text/event-stream` repeats a custom text format related to Server-Sent Events. +The final media type listed above, `multipart/mixed`, provides an ordered list of documents of any media type, and is sometimes streamed. +Note that while `multipart` formats technically allow a preamble and an epilogue, the RFC directs that they are to be ignored, making them effectively comments, and this specification does not model them. Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. +For `multipart` types, see also [Encoding By Position](#encoding-by-position). #### Media Type Registry @@ -1260,7 +1264,9 @@ See [Working With Examples](#working-with-examples) for further guidance regardi | itemSchema | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | -| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding By Name](#encoding-by-name). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `prefixEncoding` or `itemEncoding` are present. | +| prefixEncoding | [[Encoding Object](#encoding-object)] | An array of positional encoding information, as defined under [Encoding By Position](#encoding-by-position). The `prefixEncoding` field SHALL only apply when the media type is `multipart`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `encoding` is present. | +| itemEncoding | [Encoding Object](#encoding-object) | A single Encoding Object that provides encoding information for multiple array items, as defined under [Encoding By Position](#encoding-by-position). The `itemEncoding` field SHALL only apply when the media type is `multipart`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `encoding` is present. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -1280,7 +1286,8 @@ For this use case, `maxLength` MAY be implemented outside of regular JSON Schema ###### Streaming Sequential Media Types -The `itemSchema` field is provided to support streaming use cases for sequential media types. +The `itemSchema` field is provided to support streaming use cases for sequential media types, with `itemEncoding` as a corresponding encoding mechanism for streaming [positional `multipart` media types](#encoding-by-position). + Unlike `schema`, which is applied to the complete content (treated as an array as described in the [sequential media types](#sequential-media-types) section), `itemSchema` MUST be applied to each item in the stream independently, which supports processing each item as it is read from the stream. Both `schema` and `itemSchema` MAY be used in the same Media Type Object. @@ -1316,13 +1323,16 @@ properties: ##### Encoding Usage and Restrictions -The `encoding` field defines how to map each [Encoding Object](#encoding-object) to a specific value in the data. +The three encoding fields define how to map each [Encoding Object](#encoding object) to a specific value in the data. +Each field has its own set of media types with which it can be used; for all other media types all three fields SHALL be ignored. -To use the `encoding` field, a `schema` MUST exist, and the `encoding` field's keys MUST exist in the schema as properties. -Array properties MUST be handled by applying the given Encoding Object to one part per array item, each with the same `name`, as is recommended by [[?RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. +###### Encoding By Name The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. + +To use the `encoding` field, each key under the field MUST exist in the `schema` as a property. +Array properties MUST be handled by applying the given Encoding Object to produce one encoded value per array item, each with the same `name`, as is recommended by [[?RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. The order of these name-value pairs in the target media type is implementation-defined. For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). @@ -1331,15 +1341,29 @@ See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-u For `multipart`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part, as is defined for `multipart/form-data` in [[?RFC7578]]. See [[?RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. -Other `multipart` media types are not directly supported as they do not define a mechanism for part names. -However, the usage of a `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) is defined for the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1), which is not restricted to `multipart/form-data`. -Implementations MAY choose to support the a `Conent-Disposition` of `form-data` with a `name` parameter in other `multipart` media types in order to use the `encoding` field with them, but this usage is unlikely to be supported by generic `multipart` implementations. - See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. +###### Encoding By Position + +Most `multipart` media types, including `multipart/mixed` which defines the underlying rules for parsing all `multipart` types, do not have named parts. +Data for these media types are modeled as an array, with one item per part, in order. + +To use the `prefixEncoding` and/or `itemEncoding` fields, either `itemSchema` or an array `schema` MUST be present. +These fields are analogous to the `prefixItems` and `items` JSON Schema keywords, with `prefixEncoding` (if present) providing an array of Encoding Objects that are each applied to the value at the same position in the data array, and `itemEncoding` applying its single Encoding Object to all remaining items in the array. + +The `itemEncoding` field can also be used with `itemSchema` to support streaming `multipart` content. + +###### Additional Encoding Approaches + +The `prefixEncoding` field can be used with any `multipart` content to require a fixed part order. +This includes `multipart/form-data`, for which the Encoding Object's `headers` field MUST be used to provide the `Content-Disposition` and part name, as no property names exist to provide the names automatically. + +Prior versions of this specification advised using the `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) of the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1) with `multipart` media types other than `multipart/form-data` in order to work around the limitations of the `encoding` field. +Implementations MAY choose to support this workaround, but as this usage is not common, implementations of non-`form-data` `multipart` media types are unlikely to support it. + ##### Media Type Examples -For form-related media type examples, see the [Encoding Object](#encoding-object). +For form-related and `multipart` media type examples, see the [Encoding Object](#encoding-object). ###### JSON @@ -1655,8 +1679,9 @@ These fields MAY be used either with or without the RFC6570-style serialization This object MAY be extended with [Specification Extensions](#specification-extensions). The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant. -This table is based on the value to which the Encoding Object is being applied, which as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) is the array item for properties of type `"array"`, and the entire value for all other types. -Therefore the `array` row in this table applies only to array values inside of a top-level array. +This table is based on the value to which the Encoding Object is being applied as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). +Note that in the case of [Encoding By Name](#encoding-by-name), this value is the array item for properties of type `"array"`, and the entire value for all other types. +Therefore the `array` row in this table applies only to array values inside of a top-level array when encoding by name. | `type` | `contentEncoding` | Default `contentType` | | ---- | ---- | ---- | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index bcf8c14f90..b9bdac1d8c 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -539,9 +539,20 @@ $defs: type: object additionalProperties: $ref: '#/$defs/encoding' + prefixEncoding: + type: array + items: + $ref: '#/$defs/encoding' + itemEncoding: + $ref: '#/$defs/encoding' allOf: - - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' + - dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false unevaluatedProperties: false media-type-or-reference: diff --git a/tests/schema/fail/media-type-enc-item-exclusion.yaml b/tests/schema/fail/media-type-enc-item-exclusion.yaml new file mode 100644 index 0000000000..012f1f44c8 --- /dev/null +++ b/tests/schema/fail/media-type-enc-item-exclusion.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + content: + multipart/mixed: + encoding: {} + itemEncoding: {} diff --git a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml new file mode 100644 index 0000000000..d57c463b9d --- /dev/null +++ b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + content: + multipart/mixed: + encoding: {} + prefixEncoding: {} diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index e4a1dfbfdb..6ace84a8d5 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -161,3 +161,13 @@ paths: prefixEncoding: - {} itemEncoding: {} + multipart/related: + schema: + type: array + itemEncoding: + contentType: text/plain + prefixEncoding: + - headers: + Content-Location: + schema: + type: string From dce24e400dc8f76866edebd7e1547a154ee4c6f7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 9 Jul 2025 13:27:59 -0700 Subject: [PATCH 248/342] Be more clear about correlations. It's not an error if you have more encoding objects than instances. --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 7db032f164..bcf04826f2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1330,7 +1330,7 @@ Each field has its own set of media types with which it can be used; for all oth The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. -To use the `encoding` field, each key under the field MUST exist in the `schema` as a property. +To use the `encoding` field, each key under the field MUST exist as a property; `encoding` entries with no corresponding property SHALL be ignored. Array properties MUST be handled by applying the given Encoding Object to produce one encoded value per array item, each with the same `name`, as is recommended by [[?RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. The order of these name-value pairs in the target media type is implementation-defined. @@ -1350,6 +1350,7 @@ Data for these media types are modeled as an array, with one item per part, in o To use the `prefixEncoding` and/or `itemEncoding` fields, either `itemSchema` or an array `schema` MUST be present. These fields are analogous to the `prefixItems` and `items` JSON Schema keywords, with `prefixEncoding` (if present) providing an array of Encoding Objects that are each applied to the value at the same position in the data array, and `itemEncoding` applying its single Encoding Object to all remaining items in the array. +As with `prefixItems`, it is _not_ an error if the instance array is shorter than the `prefixEncoding` array; the additional Encoding Objects SHALL be ignored. The `itemEncoding` field can also be used with `itemSchema` to support streaming `multipart` content. From e8b58f58234a16fa896f8b89a9c60fba6ac45c86 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 07:49:17 -0700 Subject: [PATCH 249/342] Review feedback --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index bcf04826f2..de44916516 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1331,15 +1331,15 @@ Each field has its own set of media types with which it can be used; for all oth The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. To use the `encoding` field, each key under the field MUST exist as a property; `encoding` entries with no corresponding property SHALL be ignored. -Array properties MUST be handled by applying the given Encoding Object to produce one encoded value per array item, each with the same `name`, as is recommended by [[?RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +Array properties MUST be handled by applying the given Encoding Object to produce one encoded value per array item, each with the same `name`, as is recommended by [[!RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. The order of these name-value pairs in the target media type is implementation-defined. For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. -For `multipart`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part, as is defined for `multipart/form-data` in [[?RFC7578]]. -See [[?RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. +For `multipart`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part, as is defined for `multipart/form-data` in [[!RFC7578]]. +See [[!RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. @@ -1359,7 +1359,7 @@ The `itemEncoding` field can also be used with `itemSchema` to support streaming The `prefixEncoding` field can be used with any `multipart` content to require a fixed part order. This includes `multipart/form-data`, for which the Encoding Object's `headers` field MUST be used to provide the `Content-Disposition` and part name, as no property names exist to provide the names automatically. -Prior versions of this specification advised using the `name` [`Content-Disposition` parameter](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-2) of the `form-data` [`Content-Disposition` value](https://www.iana.org/assignments/cont-disp/cont-disp.xhtml#cont-disp-1) with `multipart` media types other than `multipart/form-data` in order to work around the limitations of the `encoding` field. +Prior versions of this specification advised using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part with `multipart` media types other than `multipart/form-data` in order to work around the limitations of the `encoding` field. Implementations MAY choose to support this workaround, but as this usage is not common, implementations of non-`form-data` `multipart` media types are unlikely to support it. ##### Media Type Examples From ca415e4efb1d701e5dfbe9d628d8b3a4c28ca04b Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 17 Jul 2025 15:17:22 -0700 Subject: [PATCH 250/342] More maintainable wording Co-authored-by: Lorna Jane Mitchell --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index de44916516..513fce2bbd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1323,7 +1323,7 @@ properties: ##### Encoding Usage and Restrictions -The three encoding fields define how to map each [Encoding Object](#encoding object) to a specific value in the data. +These encoding fields define how to map each [Encoding Object](#encoding object) to a specific value in the data. Each field has its own set of media types with which it can be used; for all other media types all three fields SHALL be ignored. ###### Encoding By Name From 0b37bca50587fe121939cc10aade316dded488c2 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 20 Jun 2025 17:42:25 -0700 Subject: [PATCH 251/342] New encoding examples --- src/oas.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index e5b3752bc5..6032daf86c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1893,6 +1893,99 @@ requestBody: As seen in the [Encoding Object's `contentType` field documentation](#encoding-content-type), the empty schema for `items` indicates a media type of `application/octet-stream`. +###### Example: Ordered, Unnamed Multipart + +A `multipart/mixed` payload consisting of a JSON metadata document followed by an image which the metadata describes: + +```yaml +multipart/mixed: + schema: + type: array + prefixItems: + - # default content type for objects + # is `application/json` + type: object + properties: + author: + type: string + created: + type: string + format: datetime + copyright: + type: string + license: + type: string + - # default content type for a schema without `type` + # is `application/octet-stream`, which we need + # to override. + {} + prefixEncoding: + - # Encoding Object defaults are correct for JSON + {} + - contentType: image/* +``` + +###### Example: Ordered Multipart With Required Header + +As described in [[?RFC2557]], a set of HTML pages can be sent in a `multipart/related` payload, preserving links among themselves by defining a `Content-Location` header for each page. + +See [Appendix D](appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. + +```yaml +multipart/related: + schema: + items: + type: string + itemEncoding: + contentType: text/html + headers: + Content-Location: + required: true + content: + text/plain: + schema: + type: string + format: uri +``` + +While the above example could have used `itemSchema` instead, if the payload is expected to be processed all at once, using `schema` ensures that tools will wait until the complete response is available before processing. + +###### Example: Streaming Multipart + +This example assumes a device that takes large sets of pictures and streams them to the caller. +Unlike the previous example, we use `itemSchema` here because the expectation is that each image is processed as it arrives (or in small batches), since we know that buffering the entire stream will take too much memory. + +```yaml +multipart/mixed: + itemSchema: + $comment: A single data image from the device + itemEncoding: + contentType: image/jpg +``` + +###### Example: Streaming Byte Ranges + +For `multipart/byteranges` [[RFC9110]] [Section 14.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-14.6), a `Content-Range` header is required: + +See [Appendix D](appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. + +```yaml +multipart/byteranges: + itemSchema: + $comment: A single range of bytes from a video + itemEncoding: + contentType: video/mp4 + headers: + Content-Range: + required: true + content: + text/plain: + schema: + # A suitable "pattern" constraint for this + # header is left as an exercise for the reader + type: string +``` + ###### Example: Nested `multipart/mixed` This defines a two-part `multipart/mixed` where the first part is a JSON array and the second part is a nested `multipart/mixed` document. @@ -1901,7 +1994,6 @@ The nested parts are XML, plain text, and a PNG image. ```yaml multipart/mixed: schema: - type: array prefixItems: - type: array - type: array From 67e81b91d51a917f63ba1c5c3cbb65eddfe0d66a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 20 Jun 2025 17:50:16 -0700 Subject: [PATCH 252/342] Better RFC2557 example --- src/oas.md | 59 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/src/oas.md b/src/oas.md index 6032daf86c..688e5e9896 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1927,29 +1927,52 @@ multipart/mixed: ###### Example: Ordered Multipart With Required Header -As described in [[?RFC2557]], a set of HTML pages can be sent in a `multipart/related` payload, preserving links among themselves by defining a `Content-Location` header for each page. +As described in [[?RFC2557]], a set of resources making up a web pages can be sent in a `multipart/related` payload, preserving links among themselves by defining a `Content-Location` header for each page. +The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. -See [Appendix D](appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. +The `Content-Location` header is defined using `content: {text/plain: {...}}` to avoid percent-encoding its URI value; see [Appendix D](appendix-d-serializing-headers-and-cookies) for further details. ```yaml -multipart/related: - schema: - items: - type: string - itemEncoding: - contentType: text/html - headers: - Content-Location: - required: true - content: - text/plain: - schema: - type: string - format: uri +components: + headers: + RFC2557ContentId: + description: Use Content-Location instead of Content-ID + schema: false + RFC2557ContentLocation: + required: true + content: + text/plain: + schema: + $comment: Use a full URI (not a relative reference) + type: string + format: uri + requestBodies: + RFC2557: + content: + multipart/related; type=text/html: + schema: + prefixItems: + - type: string + items: + anyOf: + - type: string + - $comment: To allow binary, this must always pass + prefixEncoding: + - contentType: text/html + headers: + Content-ID: + $ref: '#/components/headers/RFC2557ContentId' + Content-Location: + $ref: '#/components/headers/RFC2557ContentLocation' + itemEncoding: + contentType: text/html, text/css, text/javascript, image/* + headers: + Content-ID: + $ref: '#/components/headers/RFC2557ContentId' + Content-Location: + $ref: '#/components/headers/RFC2557ContentLocation' ``` -While the above example could have used `itemSchema` instead, if the payload is expected to be processed all at once, using `schema` ensures that tools will wait until the complete response is available before processing. - ###### Example: Streaming Multipart This example assumes a device that takes large sets of pictures and streams them to the caller. From 7e8f352504a884bcddee31111cd0fc3b9137958c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 17 Jul 2025 08:10:47 -0700 Subject: [PATCH 253/342] Review feedback. --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 688e5e9896..24722a7278 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1927,15 +1927,15 @@ multipart/mixed: ###### Example: Ordered Multipart With Required Header -As described in [[?RFC2557]], a set of resources making up a web pages can be sent in a `multipart/related` payload, preserving links among themselves by defining a `Content-Location` header for each page. -The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. +As described in [[?RFC2557]], a set of resources making up a web page can be sent in a `multipart/related` payload, preserving links from the `text/html` document to subsidiary resources such as scripts, style sheets, and images by defining a `Content-Location` header for each page. +The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against and is forbidden in this example), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. The `Content-Location` header is defined using `content: {text/plain: {...}}` to avoid percent-encoding its URI value; see [Appendix D](appendix-d-serializing-headers-and-cookies) for further details. ```yaml components: headers: - RFC2557ContentId: + RFC2557NoContentId: description: Use Content-Location instead of Content-ID schema: false RFC2557ContentLocation: @@ -1961,14 +1961,14 @@ components: - contentType: text/html headers: Content-ID: - $ref: '#/components/headers/RFC2557ContentId' + $ref: '#/components/headers/RFC2557NoContentId' Content-Location: $ref: '#/components/headers/RFC2557ContentLocation' itemEncoding: - contentType: text/html, text/css, text/javascript, image/* + contentType: text/css,text/javascript,image/* headers: Content-ID: - $ref: '#/components/headers/RFC2557ContentId' + $ref: '#/components/headers/RFC2557NoContentId' Content-Location: $ref: '#/components/headers/RFC2557ContentLocation' ``` From 674059b2e0495fc6a2d891ffd5dea2940582ba88 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 18 Jul 2025 12:21:59 -0700 Subject: [PATCH 254/342] Less snark in the comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wow, I must have been having A Day™ when I wrote this before... --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 24722a7278..dd6330e567 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2004,8 +2004,8 @@ multipart/byteranges: content: text/plain: schema: - # A suitable "pattern" constraint for this - # header is left as an exercise for the reader + # The `pattern` regular expression that would + # be included in practice is omitted for simplicity type: string ``` From 3a788357457dda3762eb76ae135c3bd93d5014c7 Mon Sep 17 00:00:00 2001 From: Mike Kistler Date: Sun, 20 Jul 2025 11:29:12 -0700 Subject: [PATCH 255/342] Apply suggestions from PR review Co-authored-by: Ralf Handl --- src/schemas/validation/meta.yaml | 2 +- tests/schema/pass/mega.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 0b4e44887b..0472fd5b27 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -30,7 +30,7 @@ $defs: type: string type: object defaultMapping: - type: object + type: string propertyName: type: string required: diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index e7b218b0e5..8304fbe199 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -55,9 +55,7 @@ components: propertyName: type mapping: foo: Foo - defaultMapping: - not: - required: ['type'] + defaultMapping: Bar x-extension: true anyOf: - $ref: "#/components/schemas/Foo" From a514ba3663db8944ef682a246f55305496021573 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 23 Jul 2025 09:00:54 -0700 Subject: [PATCH 256/342] Fix missing component names Co-authored-by: Ralf Handl --- tests/schema/fail/media-type-enc-item-exclusion.yaml | 9 +++++---- tests/schema/fail/media-type-enc-prefix-exclusion.yaml | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/tests/schema/fail/media-type-enc-item-exclusion.yaml b/tests/schema/fail/media-type-enc-item-exclusion.yaml index 012f1f44c8..5bcf06a94d 100644 --- a/tests/schema/fail/media-type-enc-item-exclusion.yaml +++ b/tests/schema/fail/media-type-enc-item-exclusion.yaml @@ -4,7 +4,8 @@ info: version: 1.0.0 components: requestBodies: - content: - multipart/mixed: - encoding: {} - itemEncoding: {} + encoding-with-itemEncoding-not-allowed: + content: + multipart/mixed: + encoding: {} + itemEncoding: {} diff --git a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml index d57c463b9d..2f19064c22 100644 --- a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml +++ b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml @@ -4,7 +4,8 @@ info: version: 1.0.0 components: requestBodies: - content: - multipart/mixed: - encoding: {} - prefixEncoding: {} + encoding-with-prefixEncoding-not-allowed: + content: + multipart/mixed: + encoding: {} + prefixEncoding: [] From f39ddfd4b2b298c94b69b9515dd85193766ed5dd Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 23 Jul 2025 11:32:27 -0700 Subject: [PATCH 257/342] Fix paragraph order on multipart encoding --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index e5b3752bc5..7c4a5ed1d4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1792,14 +1792,14 @@ Implementations MAY choose to offer media type sniffing ([[SNIFF]]) as an altern ###### `Content-Transfer-Encoding` and `contentEncoding` -Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. - Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's`contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. + See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. ###### Example: Basic Multipart Form From 3f57f4957befbaa43f1400975aa7589d6f9d0fe0 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Wed, 23 Jul 2025 18:55:45 -0700 Subject: [PATCH 258/342] Fix spelling Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 10646a8a6b..f0f92d7758 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2528,7 +2528,7 @@ components: The `Set-Cookie` header is noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) as an exception to the normal rules of headers with multiple values. -For most headers using the general syntax defined in RFC9110, the multiple-line and comma-separaed single-line forms are interchangeable, meaning that this: +For most headers using the general syntax defined in RFC9110, the multiple-line and comma-separated single-line forms are interchangeable, meaning that this: ```http Accept-Encoding: compress;q=0.5 From cb8baa3d7a1c1ea62f12ffbc08529f3b3034d415 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 23 Jul 2025 19:02:30 -0700 Subject: [PATCH 259/342] Fix examples (review feedback) --- src/oas.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index f0f92d7758..f3f21d5586 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2559,10 +2559,9 @@ components: content: text/plain: schema: + # Due to lack of support for multiline regular expressions + # in the `pattern` keyword, not much validation can be done. type: string - allOf: - - pattern: "^lang=[^;];.*Expires=" - - pattern: "^foo=[^;];.*Expires=" examples: WithExpires: # This demonstrates that the text is required to be provided @@ -2582,7 +2581,7 @@ components: - foo additionalProperties: type: string - pattern: "^[^[:space:]]$" + pattern: "^[^[:space:]]*$" style: simple explode: true examples: From 2600500b6a095c842977278eab74bb62d8fb999c Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 24 Jul 2025 09:41:55 -0700 Subject: [PATCH 260/342] maintainable --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 933658604a..02f24b1b6a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -292,7 +292,7 @@ As noted under [Data Type](#data-types), both `type: number` and `type: integer` #### Parsing and Serializing -API data has three forms: +API data has several forms: 1. The serialized form, which is either a document of a particular media type, part of an HTTP header value, or part of a URI. 2. The data form, intended for use with a [Schema Object](#schema-object). From 2359b8d2dc0d0df63e27feb4490502f3cb42120b Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 24 Jul 2025 09:42:09 -0700 Subject: [PATCH 261/342] More correct from review feedback --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 02f24b1b6a..f686bdf596 100644 --- a/src/oas.md +++ b/src/oas.md @@ -294,7 +294,7 @@ As noted under [Data Type](#data-types), both `type: number` and `type: integer` API data has several forms: -1. The serialized form, which is either a document of a particular media type, part of an HTTP header value, or part of a URI. +1. The serialized form, which is either a document of a particular media type, an HTTP header value, or part of a URI. 2. The data form, intended for use with a [Schema Object](#schema-object). 3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). From 2b179ff5aaf31f24c258cffa99c14834a4843299 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 30 Jul 2025 09:45:04 -0700 Subject: [PATCH 262/342] Fix accidentally removed type --- src/oas.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/oas.md b/src/oas.md index dd6330e567..97b72af9d9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2017,6 +2017,7 @@ The nested parts are XML, plain text, and a PNG image. ```yaml multipart/mixed: schema: + type: array prefixItems: - type: array - type: array From f4101ad773b6ec942f25e4967018b2fcb5446659 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 11:54:48 -0700 Subject: [PATCH 263/342] Fix deepObject explode default behavior. The `explode` field defaults to `false` with `style: deepObject`, but the behavior of that combination is undefined in 3.0 and 3.1. For 3.2, define it to behave the same as `style: deepObject, explode: true`, which maintains compatibility (by defining previously undefined behavior rather than changing the defined default value) and produces intuitive results. --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index eefa9b2253..be668bf0d4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1152,7 +1152,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: | Field Name | Type | Description | | ---- | :----: | ---- | | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | -| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | +| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | @@ -1181,7 +1181,7 @@ In order to support common ways of serializing simple parameters, a set of `styl | form | `primitive`, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | | spaceDelimited | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | -| deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined. | +| deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. @@ -1236,7 +1236,7 @@ The following table shows serialized examples, as would be shown with the `seria | spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | +| deepObject | false | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | | deepObject | true | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | ##### Extending Support for Querystring Formats @@ -1961,7 +1961,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | | style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. From 533c6d326f8affcf035fc1c47c1bf48d6a90f3fd Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 7 Aug 2025 11:58:11 -0700 Subject: [PATCH 264/342] Consolidate example line --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index be668bf0d4..c67901406a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1236,8 +1236,7 @@ The following table shows serialized examples, as would be shown with the `seria | spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | false | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | -| deepObject | true | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| deepObject | _n/a_ | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | ##### Extending Support for Querystring Formats From 0c17528eaff531d756ab478687a2ef8b4f98d1f6 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 12 Aug 2025 14:39:31 +0200 Subject: [PATCH 265/342] Reusable request bodies need a name --- tests/schema/fail/encoding-enc-item-exclusion.yaml | 13 +++++++------ .../schema/fail/encoding-enc-prefix-exclusion.yaml | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/tests/schema/fail/encoding-enc-item-exclusion.yaml b/tests/schema/fail/encoding-enc-item-exclusion.yaml index 658f848be9..e0c7e03b8e 100644 --- a/tests/schema/fail/encoding-enc-item-exclusion.yaml +++ b/tests/schema/fail/encoding-enc-item-exclusion.yaml @@ -4,9 +4,10 @@ info: version: 1.0.0 components: requestBodies: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - prefixEncoding: [] + encoding-with-prefixEncoding-not-allowed: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + prefixEncoding: [] diff --git a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml index 8f62070d3b..9ed8c09c18 100644 --- a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml +++ b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml @@ -4,9 +4,10 @@ info: version: 1.0.0 components: requestBodies: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - itemEncoding: [] + encoding-with-itemEncoding-not-allowed: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + itemEncoding: [] From fb16c2bb3622bb7aeedef93f73c12f87a8f0f0c2 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 12 Aug 2025 20:53:34 +0200 Subject: [PATCH 266/342] Correct test suite name --- tests/schema/schema.test.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index e7b84f0a74..8ec9112246 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -13,7 +13,7 @@ await registerOasSchema(); await registerSchema("./src/schemas/validation/schema.yaml"); const fixtures = './tests/schema'; -describe("v3.1", () => { +describe("v3.2", () => { describe("Pass", () => { readdirSync(`${fixtures}/pass`, { withFileTypes: true }) .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) From dd3f299608432c640887dc7a9d791f07351e7215 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 12 Aug 2025 19:46:47 +0200 Subject: [PATCH 267/342] full keyword and line coverage --- tests/schema/pass/link-object-examples.yaml | 4 ++++ ...ema-object-deprecated-example-keyword.yaml | 18 +++++++++++++++++ .../schema/pass/specification-extensions.yaml | 6 ++++++ tests/schema/schema.test.mjs | 20 ++++++++++++++++++- 4 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml create mode 100644 tests/schema/pass/specification-extensions.yaml diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml index 12a1194bf5..9d471f0a03 100644 --- a/tests/schema/pass/link-object-examples.yaml +++ b/tests/schema/pass/link-object-examples.yaml @@ -45,6 +45,10 @@ paths: operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get parameters: username: $response.body#/username + withBody: + operationId: queryUserWithBody + requestBody: + userId: $request.path.id # the path item of the linked operation /users/{userid}/address: parameters: diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml new file mode 100644 index 0000000000..8a928c5a55 --- /dev/null +++ b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml @@ -0,0 +1,18 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /user: + parameters: + - in: query + name: example + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object + # DEPRECATED: don't use example keyword inside Schema Object + example: { + "numbers": [1, 2], + "flag": null + } diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml new file mode 100644 index 0000000000..8148462f83 --- /dev/null +++ b/tests/schema/pass/specification-extensions.yaml @@ -0,0 +1,6 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: {} +x-tensions: specification extensions are prefixed with `x-` \ No newline at end of file diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index e7b84f0a74..ad42b15e71 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -13,7 +13,25 @@ await registerOasSchema(); await registerSchema("./src/schemas/validation/schema.yaml"); const fixtures = './tests/schema'; -describe("v3.1", () => { +describe("v3.2", () => { + test("schema.yaml schema test", async () => { + // Files in the pass/fail folders get run against schema-base.yaml. + // This instance is instead run against schema.yaml. + const oad = { + openapi: "3.2.0", + info: { + title: "API", + version: "1.0.0" + }, + components: { + schemas: { + foo: {} + } + } + }; + await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" + }); + describe("Pass", () => { readdirSync(`${fixtures}/pass`, { withFileTypes: true }) .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) From d50527b8491449e2741bb2089ef9aab3ccd7f718 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 15:34:41 -0700 Subject: [PATCH 268/342] New percent-encoding section under Parameter Object --- src/oas.md | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c67901406a..f9d291efba 100644 --- a/src/oas.md +++ b/src/oas.md @@ -43,6 +43,7 @@ Path templating refers to the usage of template expressions, delimited by curly Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). +See [URL Percent-Encoding](#url-percent-encoding) for additional guidance on escaping characters. The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax @@ -1183,7 +1184,31 @@ In order to support common ways of serializing simple parameters, a set of `styl | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | -See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. +#### URL Percent-Encoding + +All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. + +Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. + +These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. + +Percent-_encoding_ is performed in several places: + +* By [[RFC6570]] implementations (or simulations thereof; see [Appendix C](#appendix-c-using-rfc6570-based-serialization)) +* By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding +* By the user, prior to passing data through RFC6570's reserved expansion process + +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with the historical requirements of [[RFC1738]], which is cited by RFC1866. +This approach is used in examples in this specification. + +For `form-urlencoded`, while the encoding algorithm given by RFC1866 requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. +Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. + +Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. +The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. +In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. ##### Serialization and Examples From 1264d08564adb868f873edf44cf8a8ac984f56e8 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 12:36:50 -0700 Subject: [PATCH 269/342] Fix guidance for RFC6570 and multipart/form-data Research has determined that percent-encoding was never intended to apply to this media type. --- src/oas.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index f9d291efba..36b7f7829d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1988,7 +1988,8 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. +When using RFC6570-style serialization for `multipart/form-data`, URI percent-encoding MUST NOT be applied, and the value of `allowReserved` has no effect. +See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance. Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. @@ -4875,9 +4876,9 @@ Implementations of this specification MAY use an implementation of RFC6570 to pe Note that when using `style: "form"` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. -When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used. +When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used, and URI percent encoding is not applied, regardless of the value of `allowReserved`. Note that while [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578) allows using [[RFC3986]] percent-encoding in "file names", it does not otherwise address the use of percent-encoding within the format. -RFC7578 discusses character set and encoding issues for `multipart/form-data` in detail, and it is RECOMMENDED that OpenAPI Description authors read this guidance carefully before deciding to use RFC6570-based serialization with this media type. +Users are expected to provide names and data with any escaping necessary for conformance with RFC7578 already applied. Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. @@ -5180,8 +5181,9 @@ This means that while these three characters are reserved-but-allowed in query s [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578#section-2) suggests RFC3986-based percent-encoding as a mechanism to keep text-based per-part header data such as file names within the ASCII character set. This suggestion was not part of older (pre-2015) specifications for `form-data`, so care must be taken to ensure interoperability. +Users wishing to use percent-encoding in this way MUST provide the data in percent-encoded form, as percent-encoding is not automatically applied for this media type regardless of which Encoding Object fields are used. -The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding is not needed and is likely to cause interoperability problems unless the `Content-Type` of the part is defined to require it. +The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding or similar escaping is not needed in general. ### Generating and Validating URIs and `form-urlencoded` Strings From 0fd14b6d053768077d1ba2bce21ce777b0d80ca5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 12:16:31 -0700 Subject: [PATCH 270/342] Fix guidance on headers and RFC6570 percent-encoding After much debate and research, we agreed that percent-encoding was never meant to be applied to headers. Exactly how to handle RFC6570 and cookie parameters remains TBD. For now, this preserves (but streamlines) the existing guidance for cookies. --- src/oas.md | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/src/oas.md b/src/oas.md index 36b7f7829d..a95bc47d0e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1148,7 +1148,10 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- These fields MUST NOT be used with `in: "querystring"`. -Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: "header"` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: "header"` parameters where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. + +Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -1162,7 +1165,7 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 ###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate. +Using `content` with a `text/plain` media type is RECOMMENDED for `in: "cookie"` parameters where the `schema` strategy's percent-encoding and/or delimiter rules are not appropriate. For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type). @@ -2927,9 +2930,8 @@ This object MAY be extended with [Specification Extensions](#specification-exten For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. -Serializing headers with `schema` can be problematic due to the URI percent-encoding that is automatically applied, which would percent-encode characters such as `;` that are used to separate primary header values from their parameters. -The `allowReserved` field can disable most but not all of this behavior. -See [Appendix D](#appendix-d-serializing-headers-and-cookies) for details and further guidance. +When serializing headers with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2943,7 +2945,6 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 ###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#header-content) field can define the media type and schema of the header, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -5120,28 +5121,30 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies -[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. +HTTP headers have inconsistent rules regarding what characters are allowed, and how some or all disallowed characters can be escaped and included. +While the `quoted-string` ABNF rule given in [[RFC7230]] [Section 3.2.6](https://httpwg.org/specs/rfc7230.html#field.components) is the most common escaping solution, it is not sufficiently universal to apply automatically. +For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the contents), and a weak `ETag` looks like `W/"foo"` (note that only part of the value is quoted); the contents of the quotes for this header are also not escaped in the way `quoted-string` contents are. + +For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes. + +### Percent-Encoding and Cookies + +_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to avoid RFC6570-style serialization to both headers and cookies. +However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._ + +[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. Other media types, such as `application/linkset` (see [Modeling Link Headers](#modeling-link-headers)), are directly suitable for use as `content` for specific headers. In some cases, setting `allowReserved: true` will be sufficient to avoid incorrect encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. -For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). +[RFC6265](https://www.rfc-editor.org/rfc/rfc6265) recommends (but does not strictly required) base64 encoding (`contentEncoding: "base64"`) if "arbitrary data" will be stored in a cookie. Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. -Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. -While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP (header or trailer) field parameters, these parameters appear after a `;` character. -With `style: "simple"`, that delimiter would itself be percent-encoded, violating the general HTTP field syntax. - -Using `style: "form"` with `in: "cookie"` is ambiguous for a single value, and incorrect for multiple values. -This is true whether the multiple values are the result of using `explode: true` or not. - -This style is specified to be equivalent to RFC6570 form expansion which includes the `?` character (see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details), which is not part of the cookie syntax. -However, examples of this style in past versions of this specification have not included the `?` prefix, suggesting that the comparison is not exact. -Because implementations that rely on an RFC6570 implementation and those that perform custom serialization based on the style example will produce different results, it is implementation-defined as to which of the two results is correct. +Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. -For multiple values, `style: "form"` is always incorrect as name=value pairs in cookies are delimited by `;` (a semicolon followed by a space character) rather than `&`. +For multiple values, `style: "form"` is always incorrect, even if no characters are subject to percent-encoding, as name=value pairs in cookies are delimited by a semicolon followed by a space character rather than `&`. ## Appendix E: Percent-Encoding and Form Media Types From 56faefa82f0146bfc7aa0a186b5081f9a7d288c0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 11 Jul 2025 16:58:05 -0700 Subject: [PATCH 271/342] Fix list formatting (use periods at end) --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index a95bc47d0e..6602a86d2a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1244,10 +1244,10 @@ Assume a parameter named `color` has one of the following values, where the valu The following table shows serialized examples, as would be shown with the `serializedValue` field of an Example Object, of the different serializations for each value. -* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field -* The behavior of combinations marked _n/a_ is undefined -* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined -* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters +* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field. +* The behavior of combinations marked _n/a_ is undefined. +* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters. * The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | From f1000524a08ceee859283e633cf4c2aa263cb51a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 21:12:27 -0700 Subject: [PATCH 272/342] Update examples and appendicies for percent-encoding After adding a new section on percent-encoding guidance, this updates the examples and other supplemental text to match it. --- src/oas.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/oas.md b/src/oas.md index 6602a86d2a..b6f7b39f4e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1157,7 +1157,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see | ---- | :----: | ---- | | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. @@ -1187,7 +1187,7 @@ In order to support common ways of serializing simple parameters, a set of `styl | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | -#### URL Percent-Encoding +##### URL Percent-Encoding All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. @@ -1248,7 +1248,7 @@ The following table shows serialized examples, as would be shown with the `seria * The behavior of combinations marked _n/a_ is undefined. * The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. * For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters. -* The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. +* The examples are percent-encoded as explained in the [URL Percent-Encoding](#url-percent-encoding) section above; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | | ---- | ---- | ---- | ---- | ---- | ---- | @@ -1989,7 +1989,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | ---- | :----: | ---- | | style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | When using RFC6570-style serialization for `multipart/form-data`, URI percent-encoding MUST NOT be applied, and the value of `allowReserved` has no effect. See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance. @@ -2040,10 +2040,10 @@ With this example, consider an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` an } ``` -Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%7B`, and `%7D`, respectively: +Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `:`, `,`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%3A`, `%2C`, `%7B`, and `%7D`, respectively: ```uri -id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D +id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22%3A%22123+Example+Dr.%22%2C%22city%22%3A%22Somewhere%22%2C%22state%22%3A%22CA%22%2C%22zip%22%3A%2299999%2B1234%22%7D ``` Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encoding-object)'s default behavior, and is serialized as-is. @@ -3107,7 +3107,7 @@ X-Rate-Limit-Limit: type: integer ``` -Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: +Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. ```yaml ETag: @@ -5029,8 +5029,10 @@ Since the `.` usage is not automatic, we'll need to construct an appropriate inp We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. -Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ -Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. +Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged_, for example because some other specification has defined a particular meaning for them. + +Therefore, users still need to percent-encode any reserved characters that are _not_ being passed through due to a special meaning because reserved expansion does not know which reserved characters are being used, and which should still be percent-encoded. +However, reserved expansion, unlike regular expansion, _will_ leave the pre-percent-encoded triples unchanged. See also [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): @@ -5192,7 +5194,7 @@ The `form-data` media type allows arbitrary text or binary data in its parts, so URI percent encoding and the `form-urlencoded` media type have complex specification histories spanning multiple revisions and, in some cases, conflicting claims of ownership by different standards bodies. Unfortunately, these specifications each define slightly different percent-encoding rules, which need to be taken into account if the URIs or `form-urlencoded` message bodies will be subject to strict validation. -(Note that many URI parsers do not perform validation by default.) +(Note that many URI parsers do not perform validation by default, if at all.) This specification normatively cites the following relevant standards: @@ -5202,13 +5204,11 @@ This specification normatively cites the following relevant standards: | [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for form‑urlencoded | | [RFC1866](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | [[RFC1738]] | obsoleted by [[HTML401]] [Section 17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [[URL]] [Section 5](https://url.spec.whatwg.org/#urlencoded-serializing) | -Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. +Style-based serialization with percent-encoding is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. -Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. - -Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. +Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string unless the media type already incorporates URI percent-encoding. #### Interoperability with Historical Specifications @@ -5238,9 +5238,11 @@ The `[`, `]`, `|`, and space characters, which are used as delimiters for the `d This requires users to pre-encode the character(s) in some other way in parameter names and values to distinguish them from the delimiter usage when using one of these styles. The space character is always illegal and encoded in some way by all implementations of all versions of the relevant standards. -While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result. +While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result unless a non-standard parsing algorithm is used that separates based on one delimiter before decoding the other. +Any such non-standard parsing approach will not be interoperable across all tools. -Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties, and WHATWG's generic query string rules do not require percent-encoding them. +Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties. +WHATWG's generic query string rules do not require percent-encoding them in non-`form-urlencoded` query strings, although it also excludes them from the set of valid URL Unicode code points. Code that relies on leaving these delimiters unencoded, while using regular percent-encoding for them within names and values, is not guaranteed to be interoperable across all implementations. For maximum interoperability, it is RECOMMENDED to either define and document an additional escape convention while percent-encoding the delimiters for these styles, or to avoid these styles entirely. From e295dcfce37ede9964b6db646a9fd214abed2c36 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 13 Aug 2025 11:08:46 -0700 Subject: [PATCH 273/342] Remove duplicate field in YAML example --- src/oas.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c67901406a..4706e50d27 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1285,7 +1285,6 @@ examples: Diṅnāga: dataValue: diṅnāga serializedValue: di%E1%B9%85n%C4%81ga -examples: Al-Khwarizmi: dataValue: "الخوارزميّ" serializedValue: "%D8%A7%D9%84%D8%AE%D9%88%D8%A7%D8%B1%D8%B2%D9%85%D9%8A%D9%91" From 7338e16b3b9bf5679e199d87be315b678be8d730 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 14 Aug 2025 09:15:44 -0700 Subject: [PATCH 274/342] Fix missed update to example from ported changes --- src/oas.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/oas.md b/src/oas.md index b6f7b39f4e..71c19a0e14 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3112,15 +3112,13 @@ Requiring that a strong `ETag` header (with a value starting with `"` rather tha ```yaml ETag: required: true - content: - text/plain: - schema: - type: string - # Note that quotation markes are part of the - # ETag value, unlike many other headers that - # use a quoted string purely for managing - # reserved characters. - pattern: ^" + schema: + type: string + # Note that quotation markes are part of the + # ETag value, unlike many other headers that + # use a quoted string purely for managing + # reserved characters. + pattern: ^" example: '"xyzzy"' ``` From 912a96e1b931c478c159e893d3baf169504a3984 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sun, 17 Aug 2025 15:17:42 +0200 Subject: [PATCH 275/342] Convention is to use lowercase because some tools are picky and get confused by mixed/upper case --- src/oas.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index ae563b2add..878c97e847 100644 --- a/src/oas.md +++ b/src/oas.md @@ -270,7 +270,7 @@ Unless specified otherwise, relative references are resolved using the URLs defi Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: -```YAML +```yaml openapi: 3.2.0 $self: https://apidescriptions.example.com/foo info: @@ -5353,7 +5353,7 @@ For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while Assume the retrieval URI of the following document is `file://home/someone/src/api/openapi.yaml`: -```YAML +```yaml openapi: 3.2.0 $self: https://example.com/api/openapi info: @@ -5368,7 +5368,7 @@ paths: Assume the retrieval URI for the following document is `https://git.example.com/shared/blob/main/shared/foo.yaml`: -```YAML +```yaml openapi: 3.2.0 $self: https://example.com/api/shared/foo info: @@ -5416,7 +5416,7 @@ Note that this is purely an example, and support for such multipart documents or RFC2557 was written to allow sending hyperlinked sets of documents as email attachments, in which case there would not be a retrieval URI for the multipart attachment (although the format could also be used in HTTP as well). -```MULTIPART +```multipart --boundary-example Content-Type: application/openapi+yaml Content-Location: https://example.com/api/openapi.yaml @@ -5473,7 +5473,7 @@ If no base URI is provided from either of the previous sources, the next source Assume this document was retrieved from `https://example.com/api/openapis.yaml`: -```YAML +```yaml openapi: 3.2.0 info: title: Example API @@ -5489,7 +5489,7 @@ components: Assume this document was retrieved from `https://example.com/api/schemas/foo`: -```JSON +```json { "type": "object", "properties": { @@ -5514,7 +5514,7 @@ Let's re-consider the first example in this appendix, but with relative URI-refe Assume that the following is retrieved from `https://staging.example.com/api/openapi`: -```YAML +```yaml openapi: 3.2.0 $self: /api/openapi info: @@ -5529,7 +5529,7 @@ paths: Assume the retrieval URI for the following document is `https://staging.example.com/api/shared/foo`: -```YAML +```yaml openapi: 3.2.0 $self: /api/shared/foo info: From 2dadb57fb7574571ed4b45a4a4f372844bd1055a Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 16 Aug 2025 17:46:26 +0200 Subject: [PATCH 276/342] Typos and editorial changes Henry's remarks Update src/oas.md Better explanation for custom anchor Co-Authored-By: Lorna Jane Mitchell --- src/oas.md | 150 ++++++++++++++++++++++++++--------------------------- 1 file changed, 75 insertions(+), 75 deletions(-) diff --git a/src/oas.md b/src/oas.md index ae563b2add..5f241cffdc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -240,9 +240,9 @@ Unless specified otherwise, all fields that are URIs MAY be relative references ##### Establishing the Base URI -Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examles in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). -If `$self` is a relative URI-reference, it is resolved agains the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. +If `$self` is a relative URI-reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. @@ -263,8 +263,8 @@ API endpoints are by definition accessed as locations, and are described by this Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Because the API Is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. -Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. +Because the API is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. +Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. ##### Examples of API Base URL Determination @@ -530,7 +530,7 @@ However, `multipart` media types can mix binary and text-based data, leaving imp 1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). 2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. -###### Migrating binary descriptions from OAS 3.0 +###### Migrating Binary Descriptions from OAS 3.0 The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: @@ -720,7 +720,7 @@ servers: - '443' default: '8443' basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is "v2" default: v2 ``` @@ -883,7 +883,7 @@ The path is appended to the URL from the [Server Object](#server-object) in orde | Field Pattern | Type | Description | | ---- | :----: | ---- | -| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The path is **appended** (no relative URL resolution) to the resolved and template variable-substituted URL from the [Server Object](#server-object)'s `url` field in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | +| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The URL from the [Server Object](#server-object)'s `url` field, resolved and with template variables substituted, has the path **appended** (no relative URL resolution) to it in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -948,8 +948,8 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | -| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html) as of this writing) or its RFC successor, on this path. | -| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other Operation Object fields (e.g. no `POST` entry, as the Operation Object field `post` is used for this method). | +| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-11.html) as of this writing) or its RFC successor, on this path. | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other fixed fields with Operation Object values (e.g. no `POST` entry, as the `post` field is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | @@ -1561,12 +1561,12 @@ See also the [Media Type Registry](#media-type-registry). The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. -Use cases where client is intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. +Use cases where clients are intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. ###### Binary Streams The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. -For unencoded binary, the length is the number of octets. +For unencoded binary data, the length is the number of octets. For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. ###### Streaming Sequential Media Types @@ -1578,6 +1578,8 @@ Unlike `schema`, which is applied to the complete content (treated as an array a Both `schema` and `itemSchema` MAY be used in the same Media Type Object. However, doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. + + ##### Special Considerations for `text/event-stream` Content For `text/event-stream`, implementations MUST work with event data after it has been parsed according to the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream), including all guidance on ignoring certain fields (including comments) and/or values, and on combining values split across multiple lines. @@ -1653,7 +1655,7 @@ For form-related and `multipart` media type examples, see the [Encoding Object]( ###### JSON -Note that since this example is written in YAML, the Example Object `value` field can be formatted as YAML due to the trivial conversion to JSON. +Note that since this example is written in YAML, the Example Object's `value` field can be formatted as YAML due to the trivial conversion to JSON. This avoids needing to embed JSON as a string. ```yaml @@ -1821,7 +1823,7 @@ Our `application/json-seq` example has to be an external document because of the ###### Server-Sent Event Streams -For this example, assume that the generic event schema provided in the "Special Considerations for `text/event-stream` Content" section is available at `#/components/schemas/Event`: +For this example, assume that the generic event schema provided in the [Special Considerations for `text/event-stream` Content](#considerations-event-stream) section is available at `#/components/schemas/Event`: ```yaml description: A request body to add a stream of typed data. @@ -1840,7 +1842,7 @@ content: const: addInt64 data: $comment: | - Since the data field is a string, + Since the `data` field is a string, we need a format to signal that it should be handled as a 64-bit integer. format: int64 @@ -1853,7 +1855,7 @@ content: that the string value should be parsed and validated as a JSON document (since JSON is not - a binary format, contentEncoding + a binary format, `contentEncoding` is not needed) contentMediaType: application/json contentSchema: @@ -2068,8 +2070,8 @@ requestBody: name: type: string icon: - # The default content type with "contentEncoding" present - # is application/octet-stream, so we need to set the correct + # The default content type with `contentEncoding` present + # is `application/octet-stream`, so we need to set the correct # image media type(s) in the Encoding Object. type: string contentEncoding: base64url @@ -2197,7 +2199,7 @@ requestBody: multipart/form-data: schema: properties: - # The property name 'file' will be used for all files. + # The property name `file` will be used for all files. file: type: array items: {} @@ -2786,7 +2788,7 @@ paths: # the target link operationId operationId: getUserAddress parameters: - # get the `id` field from the request path parameter named `id` + # get the `id` field from the request path parameter named "id" userid: $request.path.id # the path item of the linked operation /users/{userid}/address: @@ -3113,7 +3115,7 @@ ETag: required: true schema: type: string - # Note that quotation markes are part of the + # Note that quotation marks are part of the # ETag value, unlike many other headers that # use a quoted string purely for managing # reserved characters. @@ -3241,7 +3243,7 @@ JSON Schema Draft 2020-12 supports [collecting annotations](https://www.ietf.org OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. -###### Non-validating constraint keywords +###### Non-Validating Constraint Keywords The [`format` keyword (when using default format-annotation vocabulary)](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. Extended validation is one way that these constraints MAY be enforced. @@ -3287,7 +3289,7 @@ Implementations SHOULD support defining generic or template data structures usin * `$dynamicAnchor` identifies a set of possible schemas (including a default placeholder schema) to which a `$dynamicRef` can resolve * `$dynamicRef` resolves to the first matching `$dynamicAnchor` encountered on its path from the schema entry point to the reference, as described in the JSON Schema specification -An example is included in the "Schema Object Examples" section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. +An example is included in the [Schema Object Examples](#schema-object-examples) section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. ###### Annotated Enumerations @@ -3518,7 +3520,7 @@ components: - packSize ``` -###### Models with Polymorphism Support using allOf and a Discriminator Object +###### Models with Polymorphism Support using `allOf` and a Discriminator Object It is also possible to describe polymorphic models using `allOf`. The following example uses `allOf` with a [Discriminator Object](#discriminator-object) to describe a polymorphic `Pet` model. @@ -3664,7 +3666,7 @@ To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI re Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined. -##### Optional discriminating property +##### Optional Discriminating Property When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. This allows the schema to still be validated correctly even if the discriminating property is missing. @@ -3886,8 +3888,8 @@ Note that placing two `text` nodes adjacent to each other is ambiguous for parsi The `element` and `attribute` node types require a name, which MUST be inferred from the schema as follows, unless overridden by the `name` field: * For schemas directly under the [Components Object's](#components-object) `schemas` field, the component name is the inferred name. -* For property schemas, and for array item schemas under a property schema, the property name is the inferred name -* In all other cases, such as an inline schema under a [Media Type Object's](#media-type-object) `schema` field, no name can be inferred and an XML Object with a `name` field MUST be present +* For property schemas, and for array item schemas under a property schema, the property name is the inferred name. +* In all other cases, such as an inline schema under a [Media Type Object's](#media-type-object) `schema` field, no name can be inferred and an XML Object with a `name` field MUST be present. Note that when using arrays, singular vs plural forms are _not_ inferred, and must be set explicitly. @@ -3906,7 +3908,7 @@ However, implementations SHOULD handle `null` values as follows: * For elements, produce an empty element with an `xsi:nil="true"` attribute. * For attributes, omit the attribute. -* For text and CDATA sections, see [Appendix B](#appendix-b-data-type-conversion) for a discussion of serializing non-text values to text +* For text and CDATA sections, see [Appendix B](#appendix-b-data-type-conversion) for a discussion of serializing non-text values to text. Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. @@ -4040,7 +4042,7 @@ Where `./examples/Person.xml` would be: ```xml - example + example ``` @@ -4382,10 +4384,7 @@ components: nodeType: cdata ``` -where `./examples/content.json` would be: - - -`./examples/stored.xml` would be: +where `./examples/stored.xml` would be: ```xml @@ -4507,47 +4506,47 @@ This example does not define properties for `"related"` as it is showing how empty objects and `null` are handled. ```yaml -appliaction/xml: -schema: - xml: - name: product - type: object - required: - - count - - description - - related - properties: - count: - type: - - number - - "null" - xml: - nodeType: attribute - rating: - type: string - xml: - nodeType: attribute - description: - type: string - related: - type: - - object - - "null" -examples: - productWithNulls: - dataValue: { - "count": null, - "description": "Thing", - "related": null - } - externalValue: ./examples/productWithNulls.xml - productNoNulls: - dataValue: { - "count": 42, - "description: "Thing" - "related": {} - } - externalValue: ./examples/productNoNulls.xml +application/xml: + schema: + xml: + name: product + type: object + required: + - count + - description + - related + properties: + count: + type: + - number + - "null" + xml: + nodeType: attribute + rating: + type: string + xml: + nodeType: attribute + description: + type: string + related: + type: + - object + - "null" + examples: + productWithNulls: + dataValue: { + "count": null, + "description": "Thing", + "related": null + } + externalValue: ./examples/productWithNulls.xml + productNoNulls: + dataValue: { + "count": 42, + "description: "Thing" + "related": {} + } + externalValue: ./examples/productNoNulls.xml ``` Where `./examples/productWithNulls.xml` would be: @@ -4587,7 +4586,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | -| oauth2MetadataUrl | `string` | `oauth2` | URL to the oauth2 authorization server metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). TLS is required. | +| oauth2MetadataUrl | `string` | `oauth2` | URL to the OAuth2 authorization server metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). TLS is required. | | deprecated | `boolean` | Any | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4814,6 +4813,7 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | | 3.2.0 | TBD | Release of the OpenAPI Specification 3.2.0 | +| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | @@ -5395,7 +5395,7 @@ components: In this example, the retrieval URIs are irrelevant because both documents define `$self`. The relative `$ref` in the first document is resolved against `$self` to produce `https://example.com/api/shared/foo#/components/requestBodies/Foo`. -The portion of that URI before the '#' matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. +The portion of that URI before the `#` matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/api/schemas/foo`. This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. From d44b34f02518bf695c2041fab9175d9b99af75e1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 18 Aug 2025 14:47:42 -0700 Subject: [PATCH 277/342] Encoding style default behavior --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 089273a0e4..c3a7b262a1 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1988,7 +1988,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies if either `explode` or `allowReserved` are explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | From 0e8e7e37b773b66268e2f3ee2f7361c0d0d5a1b2 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 08:28:06 -0700 Subject: [PATCH 278/342] Update Set-Cookie example for recent changes Changes to our understanding of percent-encoding and headers have made the previous example incorrect. This brings it into agreement with the new recommendations. This also explains how percent-encoding and other escaping is handled, and links to the updated Appendix D which provids more detail including a link to the IETF draft update of the cookie RFC that clarifies this. --- src/oas.md | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/src/oas.md b/src/oas.md index 089273a0e4..9dad59dc9e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3036,14 +3036,14 @@ For HTTP messages, this is purely a serialization concern, and no more of a prob However, because examples and values modeled with `content` do not incorporate the header name, for these fields `Set-Cookie` MUST be handled by placing each value on a separate line, without the header name or the `:` delimiter. -The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`. The first uses `content` to preserve the necessary whitespace in the `"Expires"` cookie attribute, while the second shows the use of `style: "simple"` and forbids whitespace to ensure that values work with this serialization approach: +Note also that any URI percent-encoding, base64 encoding, or other escaping MUST be performed prior to supplying the data to OAS tooling; see [Appendix D](appendix-d-serializing-headers-and-cookies) for details. + +The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`, as well as a `"urlSafeData"` cookie that is expected to be percent-encoded. The first uses `content` in order to show exactly how such examples are formatted, but also notes the limitations of schema constraints with multi-line text. The second shows the use of `style: "simple"`, which produces the same serialized example text (with each line corresponding to one `Set-Cookie:` line in the HTTP response), but allows schema constraints on each cookie; note that the percent-encoding is already applied in the `dataValue` field of the example: ```yaml components: headers: - SetCookieWithExpires: - # Spaces within the Expires values prevent the use of `schema` and - # `style` as they would be percent-encoded, even with `allowReserved`. + SetCookieWithContent: content: text/plain: schema: @@ -3058,45 +3058,47 @@ components: dataValue: | lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + urlSafeData: Hello%2C%20world%21 serializedValue: | lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT - SetCookieWithNoSpaces: + urlSafeData: Hello%2C%20world%21 + SetCookieWithSchemaAnd Style: schema: type: object required: - lang - foo + - urlSafeData + properties: + urlSafeData: + type: string + pattern: ^[-_.%a-zA-Z0-9]+(;|$) additionalProperties: - type: string - pattern: "^[^[:space:]]*$" + # Require an Expires parameter + pattern: "; *Expires=" style: simple explode: true examples: SetCookies: dataValue: { - "lang": "en-US", - "foo": "bar" + "lang": "en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT" + "foo": "bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT" + "urlSafeData": "Hello%2C%20world%21" } serializedValue: | - lang=en-US - foo=bar + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + urlSafeData: Hello%2C%20world%21 ``` -In an HTTP message, the serialized example with Expires would look like: +In an HTTP message, the serialized example would look like: ```http Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GM Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT ``` -and the example without Expires would look like: - -```http -Set-Cookie: lang=en-US -Set-Cookie: foo=bar -``` - ##### Header Object Example A simple header of type `integer`: From 0a733083f368a51082608a410600d9d7921220bc Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 08:26:24 -0700 Subject: [PATCH 279/342] Fix allowReserved We want it to apply only when percent-encoding applies: * in: path * in: query * in: cookie [no style- deafult is form] * in: cookie, style: form But not: * in: header * in: cookie, style: cookie --- src/oas.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 089273a0e4..4bf2194eaf 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1157,7 +1157,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see | ---- | :----: | ---- | | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field only applies to `in` and `style` values that automatically percent-encode. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. @@ -2938,7 +2938,6 @@ Implementations MUST pass header values through unchanged rather than attempting | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | -| allowReserved | `boolean` | When this is true, header values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). See [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for guidance on header encoding and escaping. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the header. | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. From b78f66a57716970564fd66d6c274849304ee80f1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 08:27:38 -0700 Subject: [PATCH 280/342] Add style: cookie, explain pct-encoding This adds a `style: cookie` to provide a non-percent-encoding option for managing cookie parameters. It also explains the conditions under which automatic percent-encoding with `style: form` might work, and also links to a draft update of the cookie RFC that explains that things that look like percent-encoding should _not_ be decoded for storage, which means that `style: cookie` is providing the most compliant behavior for that updated guidance. --- src/oas.md | 86 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 65 insertions(+), 21 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4bf2194eaf..0b3a7c812a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1148,15 +1148,13 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- These fields MUST NOT be used with `in: "querystring"`. -When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. -Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. - -Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +When serializing `in: "header"` or `in: "cookie", style: "cookie"` parameters with `schema`, URI percent-encoding MUST NOT be applied, and when parsing any apparent percent-encoding MUST NOT be decoded; if using an RFC6570 implementation that automatically performs these steps, the steps MUST be reversed before use. +In these cases, implementations MUST pass values through unchanged rather than attempting to quote or escape them, as the quoting rules for headers and escaping conventions for cookies vary too widely to be performed automatically; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | -| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. | +| style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"` (for compatibility reasons; note that `style: "cookie"` SHOULD be used with `in: "cookie"`; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details). | +| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"` or `"cookie"`, the default value is `true`. For all other styles, the default value is `false`. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field only applies to `in` and `style` values that automatically percent-encode. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | @@ -1165,7 +1163,6 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 ###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for `in: "cookie"` parameters where the `schema` strategy's percent-encoding and/or delimiter rules are not appropriate. For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type). @@ -1186,6 +1183,7 @@ In order to support common ways of serializing simple parameters, a set of `styl | spaceDelimited | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | +| cookie | `primitive`, `array`, `object` | `cookie` | Analogous to `form`, but following [[RFC6265]] `Cookie` syntax rules, meaning that name-value pairs are separated by a semicolon followed by a single space (e.g. `n1=v1; n2=v2`), and no percent-encoding or other escaping is applied; data values that require any sort of escaping MUST be provided in escaped form. | ##### URL Percent-Encoding @@ -1211,7 +1209,11 @@ Reserved characters MUST NOT be percent-encoded when being used for reserved pur The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. -See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. +See also: + +* [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using or simulating RFC6570 implementations. +* [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies +* [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986 ##### Serialization and Examples @@ -1265,6 +1267,8 @@ The following table shows serialized examples, as would be shown with the `seria | pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | deepObject | _n/a_ | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| cookie | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | +| cookie | true | color= | color=blue | color=blue; color=black; color=brown | R=100; G=200; B=150 | ##### Extending Support for Querystring Formats @@ -1297,6 +1301,54 @@ examples: serializedValue: "12345678,90099" ``` + +A cookie parameter with an exploded object (the default for `style: "cookie"`): + +```yaml +name: cookie +in: cookie +style: cookie +schema: + type: object + properties: + greeting: + type: string + code: + type: integer + minimum: 0 +examples: + Object: + description: | + Note that the comma (,) has been pre-percent-encoded + to "%2C" in the data, as it is forbidden in + cookie values. However, the exclamation point (!) + is legal in cookies, so it can be left unencoded. + dataValue: { + "greeting": "Hello%2C world!", + "code": 42 + } + serializedValue: "greeting=Hello%2C world!; code: 42" +``` + +A cookie parameter relying on the percent-encodingn behavior of the default `style: "form"`: + +```yaml +name: greeting +in: cookie +schema: + type: string +examples: + Greeting: + description: | + Note that in this approach, RFC6570's percent-encoding + process applies, so unsafe characters are not + pre-percent-encoded. This results in all non-URL-safe + characters, rather than just the one non-cookie-safe + character, getting percent-encoded. + dataValue: "Hello, world!" + serializedValue: "greeting=Hello%2C%20world%21" +``` + A path parameter of a string value: ```yaml @@ -5127,22 +5179,14 @@ For this reason, any data being passed to a header by way of a [Parameter](#para ### Percent-Encoding and Cookies -_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to avoid RFC6570-style serialization to both headers and cookies. -However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._ - [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. -In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. -Other media types, such as `application/linkset` (see [Modeling Link Headers](#modeling-link-headers)), are directly suitable for use as `content` for specific headers. - -In some cases, setting `allowReserved: true` will be sufficient to avoid incorrect encoding, however many characters are still percent-encoded with this field enabled, so care must be taken to ensure no unexpected percent-encoding will take place. - -[RFC6265](https://www.rfc-editor.org/rfc/rfc6265) recommends (but does not strictly required) base64 encoding (`contentEncoding: "base64"`) if "arbitrary data" will be stored in a cookie. -Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. -While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. +While percent-encoding seems more common as an escaping mechanism than the base64 encoding (`contentEncoding`: "base64") recommended by [[RFC6265]], [section 5.6 of draft-ietf-httpbis-rfc6265bis-20](https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-20.html#section-5.6), the proposed update to that RFC, notes that cookies sent in the `Set-Cookie` response header that appear to be percent-encoded MUST NOT be decoded when stored by the client, which would mean that they are already encoded when retrieved from that storage for use in the `Cookie` request header. +The behavior of `style: "cookie"` assumes this usage, and _does not_ apply or remove percent-encoding. +If automatic percent-encoding is desired, `style: "form"` with a primitive value or with the non-default `explode` value of `false` provides this behavior. +However, note that the default value of `explode: true` for `style: "form"` with non-primitive values uses the wrong delimiter for cookies (`&` instead of `;` followed by a single space) to set multiple cookie values. Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. - -For multiple values, `style: "form"` is always incorrect, even if no characters are subject to percent-encoding, as name=value pairs in cookies are delimited by a semicolon followed by a space character rather than `&`. +To allow the full use of `style: "form"` with `in: "cookie"`, the `allowReserved` field is now supported for cookies. ## Appendix E: Percent-Encoding and Form Media Types From ddf91fbf7511991b6e71e7911c9c6e7c2280284b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 10:20:17 -0700 Subject: [PATCH 281/342] checkpoint --- src/oas.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index bc9f0f67bc..32a2e3d300 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1191,7 +1191,7 @@ In order to support common ways of serializing simple parameters, a set of `styl All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. -Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. +Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[WHATWG-URL]] rules, including treating non-percent-encoded `+` as an escaped space character. These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. @@ -1201,10 +1201,10 @@ Percent-_encoding_ is performed in several places: * By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding * By the user, prior to passing data through RFC6570's reserved expansion process -When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with the historical requirements of [[RFC1738]], which is cited by RFC1866. +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with historical requirements that are traced back to [[RFC1738]], the URI RFC at the time `form-urlencoded` was created. This approach is used in examples in this specification. -For `form-urlencoded`, while the encoding algorithm given by RFC1866 requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. +For `form-urlencoded`, while the encoding algorithm given by [[WHATWG-URL]] requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. @@ -2005,8 +2005,8 @@ Implementations MUST support one level of nesting, and MAY support additional le ##### Encoding the `x-www-form-urlencoded` Media Type -To work with content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). -This configuration means that the content MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. +To work with content using form url encoding via [[WHATWG-URL]], use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). +This configuration means that the content MUST be percent-encoded per [[WHATWG-URL]]'s rules for that media type, after any complex objects have been serialized to a string representation. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. From f02e752cdcfbe142c2ee38aca72a33411a5f219b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 10:52:48 -0700 Subject: [PATCH 282/342] whatwg --- src/oas.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/oas.md b/src/oas.md index 32a2e3d300..9581f0b8cb 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1201,7 +1201,7 @@ Percent-_encoding_ is performed in several places: * By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding * By the user, prior to passing data through RFC6570's reserved expansion process -When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with historical requirements that are traced back to [[RFC1738]], the URI RFC at the time `form-urlencoded` was created. +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with historical requirements that are traced back to [[?RFC1738]], the URI RFC at the time `form-urlencoded` was created. This approach is used in examples in this specification. For `form-urlencoded`, while the encoding algorithm given by [[WHATWG-URL]] requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. @@ -2025,7 +2025,6 @@ requestBody: type: string format: uuid address: - # complex types are stringified to support RFC 1866 type: object properties: {} ``` @@ -2050,7 +2049,7 @@ id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22%3A%22123+ Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encoding-object)'s default behavior, and is serialized as-is. If it were treated as `application/json`, then the serialized value would be a JSON string including quotation marks, which would be percent-encoded as `%22`. -Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per RFC1866: +Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per [[WHATWG-URL]]'s `form-urlencoded` rules: ```uri id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 @@ -5023,7 +5022,7 @@ Here is one such template, using a made-up convention of `words.0` for the first RFC6570 [mentions](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.4.2) the use of `.` "to indicate name hierarchy in substructures," but does not define any specific naming convention or behavior for it. Since the `.` usage is not automatic, we'll need to construct an appropriate input structure for this new template. -We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. +We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://url.spec.whatwg.org/#application/x-www-form-urlencoded) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged_, for example because some other specification has defined a particular meaning for them. @@ -5196,29 +5195,30 @@ This specification normatively cites the following relevant standards: | Specification | Date | OAS Usage | Percent-Encoding | Notes | | ---- | ---- | ---- | ---- | ---- | -| [RFC3986](https://www.rfc-editor.org/rfc/rfc3986) | 01/2005 | URI/URL syntax | [[RFC3986]] | obsoletes [[RFC1738]], [[RFC2396]] | -| [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for form‑urlencoded | -| [RFC1866](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | [[RFC1738]] | obsoleted by [[HTML401]] [Section 17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [[URL]] [Section 5](https://url.spec.whatwg.org/#urlencoded-serializing) | +| [RFC3986](https://www.rfc-editor.org/rfc/rfc3986) | 01/2005 | URI/URL syntax, including non-`form-urlencoded` content-based serialization | [[RFC3986]] | obsoletes [[?RFC1738]], [[?RFC2396]] | +| [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for query strings | +| [WHATWG-URL Section 5](https://url.spec.whatwg.org/#application/x-www-form-urlencoded) | "living" standard | content-based `form/url-encoded` serialization, including HTTP message contents | [WHATWG-URL Section 1.3](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) | obsoletes [[?RFC1866]], [[?HTML401]] | Style-based serialization with percent-encoding is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. -Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string unless the media type already incorporates URI percent-encoding. +For use in URIs, each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string (in form-style query strings), or for general URI use in other URL components, unless the media type already incorporates URI percent-encoding. #### Interoperability with Historical Specifications -In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"` when `format` validation is enabled), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. +Prior versions of this specification required [[?RFC1866]] and its use of [[?RFC1738]] percent-encoding rules in place of [[WHATWG-URL]]. +The [[WHATWG-URL]] `form-urlencoded` rules represent the current browser consensus on that media type, and avoid the ambiguity introduce by unclear paraphrasing of RFC1738 in RFC1866. -Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. +Users needing conformance with RFC1866/RFC1738 are advised to check their tooling and library behavior carefully. #### Interoperability with Web Browser Environments WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-working-on) standards group that has defined a "URL Living Standard" for parsing and serializing URLs in a browser context, including parsing and serializing `form-urlencoded` data. -WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that [[RFC3986]] forbids. +WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[?RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where its requirements differ from [[RFC3986]]. -Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. -However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference` (when `format` validation is endabled). +This specification only depends on WHATWG for its `form-urlencoded` specification. +Implementations using the query string in other ways are advised that, the distinctions between WHATWG's non-`form-urlencoded` query string rules and RFC3986 require careful consideration, incorporating both WHATWG's percent-encoding sets and their set of valid Unicode code points for URLs; see [Percent-Encoding and Illegal or Reserved Delimiters](#percent-encoding-and-illegal-or-reserved-delimiters) for more information. ### Decoding URIs and `form-urlencoded` Strings From d62df60fe6c7f6c35c1c75c44d4ad5e348d6866d Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 21 Aug 2025 12:22:59 -0700 Subject: [PATCH 283/342] Apply suggestions from code review Co-authored-by: Lorna Jane Mitchell Co-authored-by: Vincent Biret --- src/oas.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0b3a7c812a..efc044f25e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1148,7 +1148,10 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- These fields MUST NOT be used with `in: "querystring"`. -When serializing `in: "header"` or `in: "cookie", style: "cookie"` parameters with `schema`, URI percent-encoding MUST NOT be applied, and when parsing any apparent percent-encoding MUST NOT be decoded; if using an RFC6570 implementation that automatically performs these steps, the steps MUST be reversed before use. +Care is needed for parameters with `schema` that have `in: "header"` or `in: "cookie", style: "cookie"`: +* When serializing these values, URI percent-encoding MUST NOT be applied. +* When parsing these parameters, any apparent percent-encoding MUST NOT be decoded. +* If using an RFC6570 implementation that automatically performs encoding or decoding steps, the steps MUST be undone before use. In these cases, implementations MUST pass values through unchanged rather than attempting to quote or escape them, as the quoting rules for headers and escaping conventions for cookies vary too widely to be performed automatically; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | @@ -1212,8 +1215,8 @@ In some cases, such as inserting `/` into path parameter values, doing so is [ex See also: * [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using or simulating RFC6570 implementations. -* [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies -* [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986 +* [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies. +* [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986. ##### Serialization and Examples @@ -1330,7 +1333,7 @@ examples: serializedValue: "greeting=Hello%2C world!; code: 42" ``` -A cookie parameter relying on the percent-encodingn behavior of the default `style: "form"`: +A cookie parameter relying on the percent-encoding behavior of the default `style: "form"`: ```yaml name: greeting @@ -5186,7 +5189,7 @@ The behavior of `style: "cookie"` assumes this usage, and _does not_ apply or re If automatic percent-encoding is desired, `style: "form"` with a primitive value or with the non-default `explode` value of `false` provides this behavior. However, note that the default value of `explode: true` for `style: "form"` with non-primitive values uses the wrong delimiter for cookies (`&` instead of `;` followed by a single space) to set multiple cookie values. Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. -To allow the full use of `style: "form"` with `in: "cookie"`, the `allowReserved` field is now supported for cookies. +To allow the full use of `style: "form"` with `in: "cookie"`, use the `allowReserved` field. ## Appendix E: Percent-Encoding and Form Media Types From 125c34c98ec7bd180c5664da73b5240bb302f7e7 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Thu, 21 Aug 2025 12:25:25 -0700 Subject: [PATCH 284/342] Apply suggestions from code review Co-authored-by: Vincent Biret Co-authored-by: Karen Etheridge --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9dad59dc9e..834908e513 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3063,7 +3063,7 @@ components: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT urlSafeData: Hello%2C%20world%21 - SetCookieWithSchemaAnd Style: + SetCookieWithSchemaAndStyle: schema: type: object required: @@ -3075,7 +3075,7 @@ components: type: string pattern: ^[-_.%a-zA-Z0-9]+(;|$) additionalProperties: - # Require an Expires parameter + $comment: Require an Expires parameter pattern: "; *Expires=" style: simple explode: true From ee1021aee30e535509bf5099b9aa628f11aa374e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 14:27:32 -0700 Subject: [PATCH 285/342] Fix review suggestion that broke build. --- src/oas.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/oas.md b/src/oas.md index efc044f25e..beab2679bf 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1149,9 +1149,11 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- These fields MUST NOT be used with `in: "querystring"`. Care is needed for parameters with `schema` that have `in: "header"` or `in: "cookie", style: "cookie"`: + * When serializing these values, URI percent-encoding MUST NOT be applied. * When parsing these parameters, any apparent percent-encoding MUST NOT be decoded. * If using an RFC6570 implementation that automatically performs encoding or decoding steps, the steps MUST be undone before use. + In these cases, implementations MUST pass values through unchanged rather than attempting to quote or escape them, as the quoting rules for headers and escaping conventions for cookies vary too widely to be performed automatically; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | From 9e034216d4f489e2e137e0ecfd9b45dcd6efb3d0 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 14:55:58 -0700 Subject: [PATCH 286/342] Review feedback. --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index beab2679bf..4c48446204 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1216,7 +1216,7 @@ In some cases, such as inserting `/` into path parameter values, doing so is [ex See also: -* [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using or simulating RFC6570 implementations. +* [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using or simulating/extending RFC6570 implementations. * [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies. * [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986. @@ -1332,7 +1332,7 @@ examples: "greeting": "Hello%2C world!", "code": 42 } - serializedValue: "greeting=Hello%2C world!; code: 42" + serializedValue: "greeting=Hello%2C world!; code=42" ``` A cookie parameter relying on the percent-encoding behavior of the default `style: "form"`: From 585321d6b824bde0793ad220c13fa5ed98ee40e2 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 21 Aug 2025 16:14:36 -0700 Subject: [PATCH 287/342] Fix error in example. --- src/oas.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/oas.md b/src/oas.md index 834908e513..dbfeef67e0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3055,6 +3055,12 @@ components: # This demonstrates that the text is required to be provided # in the final format, and is not changed by serialization. # In practice, it is not necessary to show both value fields. + # Note that only the comma (%2C) would need to be percent-encoded + # if percent-encoding were only being done to make the value + # a valid cookie, as space (%20) and the exclamation point (%21) + # are allowed in cookies, but not in URLs. See the cookie + # input parameter examples for an example of encoding only + # what is needed for the cookie syntax. dataValue: | lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT @@ -3097,6 +3103,7 @@ In an HTTP message, the serialized example would look like: ```http Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GM Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT +Set-Cookie: urlSafeData=Hello%2C%20world%21 ``` ##### Header Object Example From 34cd332c433233c5633945a834ac0287f1b4509b Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 22 Aug 2025 07:14:07 -0700 Subject: [PATCH 288/342] grammar fix Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4c48446204..d8519b834b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5185,7 +5185,7 @@ For this reason, any data being passed to a header by way of a [Parameter](#para ### Percent-Encoding and Cookies [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. -While percent-encoding seems more common as an escaping mechanism than the base64 encoding (`contentEncoding`: "base64") recommended by [[RFC6265]], [section 5.6 of draft-ietf-httpbis-rfc6265bis-20](https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-20.html#section-5.6), the proposed update to that RFC, notes that cookies sent in the `Set-Cookie` response header that appear to be percent-encoded MUST NOT be decoded when stored by the client, which would mean that they are already encoded when retrieved from that storage for use in the `Cookie` request header. +While percent-encoding seems more common as an escaping mechanism than the base64 encoding (`contentEncoding`: "base64") recommended by [[RFC6265]], [section 5.6 of draft-ietf-httpbis-rfc6265bis-20](https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-20.html#section-5.6), the proposed update to that RFC notes that cookies sent in the `Set-Cookie` response header that appear to be percent-encoded MUST NOT be decoded when stored by the client, which would mean that they are already encoded when retrieved from that storage for use in the `Cookie` request header. The behavior of `style: "cookie"` assumes this usage, and _does not_ apply or remove percent-encoding. If automatic percent-encoding is desired, `style: "form"` with a primitive value or with the non-default `explode` value of `false` provides this behavior. From f0b3fa8166d5568a7506d0c8fa048a754036c821 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Fri, 22 Aug 2025 07:14:53 -0700 Subject: [PATCH 289/342] grammar Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9581f0b8cb..38b3e17a8a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5208,7 +5208,7 @@ For use in URIs, each part is encoded based on the media type (e.g. `text/plain` #### Interoperability with Historical Specifications Prior versions of this specification required [[?RFC1866]] and its use of [[?RFC1738]] percent-encoding rules in place of [[WHATWG-URL]]. -The [[WHATWG-URL]] `form-urlencoded` rules represent the current browser consensus on that media type, and avoid the ambiguity introduce by unclear paraphrasing of RFC1738 in RFC1866. +The [[WHATWG-URL]] `form-urlencoded` rules represent the current browser consensus on that media type, and avoid the ambiguity introduced by unclear paraphrasing of RFC1738 in RFC1866. Users needing conformance with RFC1866/RFC1738 are advised to check their tooling and library behavior carefully. From fc77a7302b536312864d7d01f9703ff5068aec0b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 25 Aug 2025 11:17:19 -0700 Subject: [PATCH 290/342] Reorganize early (and other) sections This moves many sections but does not make any changes to titles or contents. Not even obvious trivial ones. The indentation levels are a little strange to make it easier to merge outstanding PRs and see moved sections, and will be fixed in the next commit. --- src/oas.md | 1022 ++++++++++++++++++++++++++-------------------------- 1 file changed, 503 insertions(+), 519 deletions(-) diff --git a/src/oas.md b/src/oas.md index b82f2526ad..58edea3495 100644 --- a/src/oas.md +++ b/src/oas.md @@ -16,140 +16,6 @@ For examples of OpenAPI usage and additional documentation, please visit [[?Open For extension registries and other specifications published by the OpenAPI Initiative, as well as the authoritative rendering of this specification, please visit [spec.openapis.org](https://spec.openapis.org/). -## Definitions - -### OpenAPI Description - -An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. - -### OpenAPI Document - -An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. - -### Schema - -A "schema" is a formal description of syntax and structure. -This document serves as the [schema](#schema) for the OpenAPI Specification format; a non-authoritative JSON Schema based on this document is also provided on [spec.openapis.org](https://spec.openapis.org) for informational purposes. -This specification also _uses_ schemas in the form of the [Schema Object](#schema-object). - -### Object - -When capitalized, the word "Object" refers to any of the Objects that are named by section headings in this document. - -### Path Templating - -Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. - -Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. - -The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). -See [URL Percent-Encoding](#url-percent-encoding) for additional guidance on escaping characters. - -The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax - -```abnf -path-template = "/" *( path-segment "/" ) [ path-segment ] -path-segment = 1*( path-literal / template-expression ) -path-literal = 1*pchar -template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } - -pchar = unreserved / pct-encoded / sub-delims / ":" / "@" -unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" -pct-encoded = "%" HEXDIG HEXDIG -sub-delims = "!" / "$" / "&" / "'" / "(" / ")" - / "*" / "+" / "," / ";" / "=" -``` - -Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). - -Each template expression MUST NOT appear more than once in a single path template. - -See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. - -### Media Types - -Media type definitions are spread across several resources. -The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). - -Some examples of possible media type definitions: - -```text - text/plain; charset=utf-8 - application/json - application/vnd.github+json - application/vnd.github.v3+json - application/vnd.github.v3.raw+json - application/vnd.github.v3.text+json - application/vnd.github.v3.html+json - application/vnd.github.v3.full+json - application/vnd.github.v3.diff - application/vnd.github.v3.patch -``` - -JSON-based and JSON-compatible YAML-based media types can make direct use of the [Schema Object](#schema-object) as the Object uses JSON Schema. -The use of the Schema Object with other media types is handled by mapping them into the JSON Schema [instance data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-instance-data-model). -These mappings may be implicit based on the media type, or explicit based on the values of particular fields. -Each mapping is addressed where the relevant media type is discussed in this section or under the [Media Type Object](#media-type-object) or [Encoding Object](#encoding-object) - -#### Sequential Media Types - -Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, without any sort of header, footer, envelope, or other metadata in addition to the sequence. - -Some examples of sequential media types (including some that are not IANA-registered but are in common use) are: - -```text - application/jsonl - application/x-ndjson - application/json-seq - application/geo+json-seq - text/event-stream - multipart/mixed -``` - -In the first three above, the repeating structure is any [JSON value](https://tools.ietf.org/html/rfc8259#section-3). -The fourth repeats `application/geo+json`-structured values, while `text/event-stream` repeats a custom text format related to Server-Sent Events. -The final media type listed above, `multipart/mixed`, provides an ordered list of documents of any media type, and is sometimes streamed. -Note that while `multipart` formats technically allow a preamble and an epilogue, the RFC directs that they are to be ignored, making them effectively comments, and this specification does not model them. - -Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. - -See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. -For `multipart` types, see also [Encoding By Position](#encoding-by-position). - -#### Media Type Registry - -While the [Schema Object](#schema-object) is designed to describe and validate JSON, several other media types are commonly used in APIs. -Requirements regarding support for other media types are documented in this Media Types section and in several Object sections later in this specification. -For convenience and future extensibility, these are cataloged in the OpenAPI Initiative's [Media Type Registry](https://spec.openapis.org/registry/media-type/), which indicates where in this specification the relevant requirements can be found. - -See also the [Media Type Object](#media-type-object) for further information on working with specific media types. - -### HTTP Status Codes - -The HTTP Status Codes are used to indicate the status of the executed operation. -Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). - -### Case Sensitivity - -As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. -However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. - -### Undefined and Implementation-Defined Behavior - -This specification deems certain situations to have either _undefined_ or _implementation-defined_ behavior. - -Behavior described as _undefined_ is likely, at least in some circumstances, to result in outcomes that contradict the specification. -This description is used when detecting the contradiction is impossible or impractical. -Implementations MAY support undefined scenarios for historical reasons, including ambiguous text in prior versions of the specification. -This support might produce correct outcomes in many cases, but relying on it is NOT RECOMMENDED as there is no guarantee that it will work across all tools or with future specification versions, even if those versions are otherwise strictly compatible with this one. - -Behavior described as _implementation-defined_ allows implementations to choose which of several different-but-compliant approaches to a requirement to implement. -This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. -Unlike undefined behavior, it is safe to rely on implementation-defined behavior if _and only if_ it can be guaranteed that all relevant tools support the same behavior. - -## Specification - ### Versions The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versioning scheme. The `major`.`minor` portion of the version string (for example `3.1`) SHALL designate the OAS feature set. _`.patch`_ versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.\* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between `3.1.0` and `3.1.1` for example. @@ -162,382 +28,46 @@ Certain fields or features may be marked **Deprecated**. These fields and features remain part of the specification and can be used like any other field or feature. However, OpenAPI Description authors should use newer fields and features documented to replace the deprecated ones whenever possible. -At this time, such elements are expected to remain part of the OAS until the next major version, although a future minor version of this specification may define a policy for later removal of deprecated elements. - -### Format - -An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. -Examples in this specification will be shown in YAML for brevity. - -All field names in the specification are **case sensitive**. -This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. - -The [schema](#schema) exposes two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. - -Patterned fields MUST have unique names within the containing object. - -**Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. - -#### JSON and YAML Compatibility - -In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). - -The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. -OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. - -### OpenAPI Description Structure - -An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. - -In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. - -It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. - -#### Parsing Documents - -In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). - -This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. - -Implementations MAY support complete-document parsing in any of the following ways: - -* Detecting OpenAPI or JSON Schema documents using media types -* Detecting OpenAPI documents through the root `openapi` field -* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification -* Detecting a document containing a referenceable Object at its root based on the expected type of the reference -* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object - -Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. -In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. -While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. - -While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. -This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. - -A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. -Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. -It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. - -#### Structural Interoperability - -JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: - -* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object -* As the Object type implied by its parent Object within the document -* As a reference target, with the Object type matching the reference source's context - -If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. - -#### Relative References in API Description URIs - -URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. -This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. - -Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. - -Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). - -##### Establishing the Base URI - -Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). - -If `$self` is a relative URI-reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. - -The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. -Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. -Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. -Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. - -##### Resolving URI fragments - -If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). - -##### Relative URI References in CommonMark Fields - -Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. - -#### Relative References in API URLs - -API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. - -Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). - -Because the API is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. -Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. - -##### Examples of API Base URL Determination - -Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: - -```yaml -openapi: 3.2.0 -$self: https://apidescriptions.example.com/foo -info: - title: Example API - version: 1.0 -servers: -- url: . - description: The production API on this device -- url: ./test - description: The test API on this device -``` - -For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. - -#### Resolving Implicit Connections - -Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). - -These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. -In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: - -| Source | Target | Alternative | -| ---- | ---- | ---- | -| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | -| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | -| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | -| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | - -A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. -This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. - -It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. -This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. - -The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. -For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. -The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. -This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. - -For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. -This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. - -The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. - -There are no URI-based alternatives for the Operation Object's `tags` field. -OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. - -See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. -The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. - -Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. - -### Working with Data - -#### Data Types - -Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): -"null", "boolean", "object", "array", "number", "string", or "integer". -Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. - -JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. - -Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. - -##### Data Type Format - -As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. - -The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. - -Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. -For the purpose of [JSON Schema validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. - -The formats defined by the OAS are: - -| `format` | JSON Data Type | Comments | -| ---- | ---- | ---- | -| `int32` | number | signed 32 bits | -| `int64` | number | signed 64 bits (a.k.a long) | -| `float` | number | | -| `double` | number | | -| `password` | string | A hint to obscure the value. | - -As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. - -#### Parsing and Serializing - -API data has several forms: - -1. The serialized form, which is either a document of a particular media type, an HTTP header value, or part of a URI. -2. The data form, intended for use with a [Schema Object](#schema-object). -3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). - -##### JSON Data - -JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. -The serialized UTF-8 JSON string `{"when": "1985-04-12T23:20:50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23:20:50.52`. - -The exact application form is beyond the scope of this specification, as can be shown with the following schema for our JSON instance: - -```yaml -type: object -properties: - when: - type: string - format: date-time -``` - -Some applications might leave the string as a string regardless of programming language, while others might notice the `format` and use it as a `datetime.datetime` instance in Python, or a `java.time.ZonedDateTime` in Java. -This specification only requires that the data is valid according to the schema, and that [annotations](#extended-validation-with-annotations) such as `format` are available in accordance with the JSON Schema specification. - -##### Non-JSON Data - -Non-JSON serializations can be substantially different from their corresponding data form, and might require several steps to parse. - -To continue our "when" example, if we serialized the object as `application/x-www-form-urlencoded`, it would appear as the ASCII string `when=1985-04-12T23%3A20%3A50.52`. -This example is still straightforward to use as it is all string data, and the only differences from JSON are the URI percent-encoding and the delimiter syntax (`=` instead of JSON punctuation and quoting). - -However, many non-JSON text-based formats can be complex, requiring examination of the appropriate schema(s) in order to correctly parse the text into a schema-ready data structure. -Serializing data into such formats requires either examining the schema-validated data or performing the same schema inspections. - -When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. -These schemas are guaranteed to apply to any instance. -When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, and no other findable `type` keyword disambiguates the actual required type, the behavior is implementation-defined. -Schema Objects that do not contain `type` MUST be considered to allow all types, regardless of which other keywords are present (e.g. `maximum` applies to numbers, but _does not_ require the instance to be a number). - -Implementations MAY inspect subschemas or possible reference targets of other keywords such as `oneOf` or `$dynamicRef`, but MUST NOT attempt to resolve ambiguities. -For example, if an implementation opts to inspect `anyOf`, the schema: - -```yaml -anyOf: -- type: number - minimum: 0 -- type: number - maximum: 100 -``` - -unambiguously indicates a numeric type, but the schema: - -```yaml -anyOf: -- type: number -- maximum: 100 -``` - -does not, because the second subschema allows all types. - -Due to these limited requirements for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. - -Recall also that in JSON Schema, keywords that apply to a specific type (e.g. `pattern` applies to strings, `minimum` applies to numbers) _do not_ require or imply that the data will actually be of that type. - -As an example of these processes, given these OpenAPI components: - -```yaml -components: - requestBodies: - Form: - content: - application/x-www-form-urlencoded: - schema: - $ref: "#/components/schemas/FormData" - encoding: - extra: - contentType: application/xml - schemas: - FormData: - type: object - properties: - code: - allOf: - - type: [string, number] - pattern: "1" - minimum: 0 - - type: string - pattern: "2" - count: - type: integer - extra: - type: object -``` - -And this request body to parse into its data form: - -```uri -code=1234&count=42&extra=%3Cinfo%3Eabc%3C/info%3E -``` - -We must first search the schema for `properties` or other property-defining keywords, and then use each property schema as a starting point for a search for that property's `type` keyword, as follows (the exact order is implementation-defined): - -* `#/components/requestBodies/Form/content/application~1x-www-form-urlencoded/schema` (initial starting point schema, only `$ref`) -* `#/components/schemas/FormData` (follow `$ref`, found `properties`) -* `#/components/schemas/FormData/properties/code` (starting point schema for `code` property) -* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, found `type: [string, number]`) -* `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) -* `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) -* `#/components/schemas/FormData/properties/extra` (starting point schema for `extra` property, found `type: object`) - -Note that for `code` we first found an ambiguous `type`, but then found another `type` keyword that ensures only one of the two possibilities is valid. - -From this inspection, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. -Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. -This means that the data form of this serialization is equivalent to the following JSON object: - -```json -{ - "code": "1234", - "count": 42 - "extra": { - "info": "abc" - } -} -``` - -Serializing this object also requires correlating properties with [Encoding Objects](#encoding-object), and may require inspection to determine a default value of the `contentType` field. -If validated data is not available, the schema inspection process is identical to that shown for parsing. - -In this example, both `code` and `count` are of primitive type and do not appear in the `encoding` field, and are therefore serialized as plain text. -However, the `extra` field is an object, which would by default be serialized as JSON, but the `extra` entry in the `encoding` field tells use to serialize it as XML instead. - -##### Working with Binary Data - -The OAS can describe either _raw_ or _encoded_ binary data. - -* **raw binary** is used where unencoded binary data is allowed, such as when sending a binary payload as the entire HTTP message body, or as part of a `multipart/*` payload that allows binary parts -* **encoded binary** is used where binary data is embedded in a text-only format such as `application/json` or `application/x-www-form-urlencoded` (either as a message body or in the URL query string). - -In the following table showing how to use Schema Object keywords for binary data, we use `image/png` as an example binary media type. Any binary media type, including `application/octet-stream`, is sufficient to indicate binary content. - -| Keyword | Raw | Encoded | Comments | -| ---- | ---- | ---- | ---- | -| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.3) | -| `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | -| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.3) | +At this time, such elements are expected to remain part of the OAS until the next major version, although a future minor version of this specification may define a policy for later removal of deprecated elements. -Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. +### Undefined and Implementation-Defined Behavior -Using a `contentEncoding` of `base64url` ensures that URL encoding (as required in the query string and in message bodies of type `application/x-www-form-urlencoded`) does not need to further encode any part of the already-encoded binary data. +This specification deems certain situations to have either _undefined_ or _implementation-defined_ behavior. -The `contentMediaType` keyword is redundant if the media type is already set: +Behavior described as _undefined_ is likely, at least in some circumstances, to result in outcomes that contradict the specification. +This description is used when detecting the contradiction is impossible or impractical. +Implementations MAY support undefined scenarios for historical reasons, including ambiguous text in prior versions of the specification. +This support might produce correct outcomes in many cases, but relying on it is NOT RECOMMENDED as there is no guarantee that it will work across all tools or with future specification versions, even if those versions are otherwise strictly compatible with this one. -* as the key for a [Media Type Object](#media-type-object) -* in the `contentType` field of an [Encoding Object](#encoding-object) +Behavior described as _implementation-defined_ allows implementations to choose which of several different-but-compliant approaches to a requirement to implement. +This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. +Unlike undefined behavior, it is safe to rely on implementation-defined behavior if _and only if_ it can be guaranteed that all relevant tools support the same behavior. -If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. +### Format -See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. +An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. +Examples in this specification will be shown in YAML for brevity. -###### Schema Evaluation and Binary Data +All field names in the specification are **case sensitive**. +This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. -Few JSON Schema implementations directly support working with binary data, as doing so is not a mandatory part of that specification. +The [schema](#schema) exposes two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. -OAS Implementations that do not have access to a binary-instance-supporting JSON Schema implementation MUST examine schemas and apply them in accordance with [Working with Binary Data](#working-with-binary-data). -When the entire instance is binary, this is straightforward as few keywords are relevant. +Patterned fields MUST have unique names within the containing object. -However, `multipart` media types can mix binary and text-based data, leaving implementations with two options for schema evaluations: +**Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. -1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). -2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. +#### JSON and YAML Compatibility -###### Migrating Binary Descriptions from OAS 3.0 +In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). -The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: +The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. +OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. -| OAS < 3.1 | OAS >= 3.1 | Comments | -| ---- | ---- | ---- | -| type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | -| type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | +### Case Sensitivity + +As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. ### Rich Text Formatting @@ -581,6 +111,124 @@ This object MAY be extended with [Specification Extensions](#specification-exten To ensure interoperability, references MUST use the target document's `$self` URI if the `$self` field is present. Implementations MAY choose to support referencing by other URIs such as the retrieval URI even when `$self` is present, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. +##### OpenAPI Description Structure + +An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. + +In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. + +It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. + +###### OpenAPI Description + +An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. + +###### OpenAPI Document + +An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. + +###### Parsing Documents + +In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). + +This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. + +Implementations MAY support complete-document parsing in any of the following ways: + +* Detecting OpenAPI or JSON Schema documents using media types +* Detecting OpenAPI documents through the root `openapi` field +* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification +* Detecting a document containing a referenceable Object at its root based on the expected type of the reference +* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object + +Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. +In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. + +While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. +This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. + +A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. +Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. +It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. + +###### Structural Interoperability + +JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: + +* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object +* As the Object type implied by its parent Object within the document +* As a reference target, with the Object type matching the reference source's context + +If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. + +###### Relative References in API Description URIs + +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. +As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. +This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. + +Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. + +Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +####### Establishing the Base URI + +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). + +If `$self` is a relative URI-reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. + +The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. +Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. +Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. +Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. + +####### Resolving URI fragments + +If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). + +####### Relative URI References in CommonMark Fields + +Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. + +###### Resolving Implicit Connections + +Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). + +These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. +In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: + +| Source | Target | Alternative | +| ---- | ---- | ---- | +| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | +| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | +| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | +| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | + +A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. +This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. + +It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. +This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. + +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. +For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. +The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. + +For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. + +The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. + +There are no URI-based alternatives for the Operation Object's `tags` field. +OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. + +See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. + +Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. + #### Info Object The object provides metadata about the API. @@ -677,6 +325,34 @@ This object MAY be extended with [Specification Extensions](#specification-exten See [Examples of API Base URL Determination](#examples-of-api-base-url-determination) for examples of resolving relative server URLs. +##### Relative References in API URLs + +API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. + +Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +Because the API is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. +Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. + +###### Examples of API Base URL Determination + +Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: + +```yaml +openapi: 3.2.0 +$self: https://apidescriptions.example.com/foo +info: + title: Example API + version: 1.0 +servers: +- url: . + description: The production API on this device +- url: ./test + description: The test API on this device +``` + +For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. + ##### Server Object Example A single server would be described as: @@ -887,7 +563,38 @@ The path is appended to the URL from the [Server Object](#server-object) in orde This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Path Templating Matching +##### Path Templating + +Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. + +Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. + +The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). +See [URL Percent-Encoding](#url-percent-encoding) for additional guidance on escaping characters. + +The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax + +```abnf +path-template = "/" *( path-segment "/" ) [ path-segment ] +path-segment = 1*( path-literal / template-expression ) +path-literal = 1*pchar +template-expression = "{" template-expression-param-name "}" +template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } + +pchar = unreserved / pct-encoded / sub-delims / ":" / "@" +unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" +pct-encoded = "%" HEXDIG HEXDIG +sub-delims = "!" / "$" / "&" / "'" / "(" / ")" + / "*" / "+" / "," / ";" / "=" +``` + +Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). + +Each template expression MUST NOT appear more than once in a single path template. + +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + +###### Path Templating Matching Assuming the following paths, the concrete definition, `/pets/mine`, will be matched first if used: @@ -1614,19 +1321,71 @@ This object MAY be extended with [Specification Extensions](#specification-exten See also the [Media Type Registry](#media-type-registry). +##### Media Types + +Media type definitions are spread across several resources. +The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). + +Some examples of possible media type definitions: + +```text + text/plain; charset=utf-8 + application/json + application/vnd.github+json + application/vnd.github.v3+json + application/vnd.github.v3.raw+json + application/vnd.github.v3.text+json + application/vnd.github.v3.html+json + application/vnd.github.v3.full+json + application/vnd.github.v3.diff + application/vnd.github.v3.patch +``` + +JSON-based and JSON-compatible YAML-based media types can make direct use of the [Schema Object](#schema-object) as the Object uses JSON Schema. +The use of the Schema Object with other media types is handled by mapping them into the JSON Schema [instance data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-instance-data-model). +These mappings may be implicit based on the media type, or explicit based on the values of particular fields. +Each mapping is addressed where the relevant media type is discussed in this section or under the [Media Type Object](#media-type-object) or [Encoding Object](#encoding-object) + +###### Media Type Registry + +While the [Schema Object](#schema-object) is designed to describe and validate JSON, several other media types are commonly used in APIs. +Requirements regarding support for other media types are documented in this Media Types section and in several Object sections later in this specification. +For convenience and future extensibility, these are cataloged in the OpenAPI Initiative's [Media Type Registry](https://spec.openapis.org/registry/media-type/), which indicates where in this specification the relevant requirements can be found. + +See also the [Media Type Object](#media-type-object) for further information on working with specific media types. + ##### Complete vs Streaming Content -The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). -Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. -Use cases where clients are intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. +The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). +Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. +Use cases where clients are intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. + +###### Sequential Media Types + +Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, without any sort of header, footer, envelope, or other metadata in addition to the sequence. + +Some examples of sequential media types (including some that are not IANA-registered but are in common use) are: + +```text + application/jsonl + application/x-ndjson + application/json-seq + application/geo+json-seq + text/event-stream + multipart/mixed +``` + +In the first three above, the repeating structure is any [JSON value](https://tools.ietf.org/html/rfc8259#section-3). +The fourth repeats `application/geo+json`-structured values, while `text/event-stream` repeats a custom text format related to Server-Sent Events. +The final media type listed above, `multipart/mixed`, provides an ordered list of documents of any media type, and is sometimes streamed. +Note that while `multipart` formats technically allow a preamble and an epilogue, the RFC directs that they are to be ignored, making them effectively comments, and this specification does not model them. -###### Binary Streams +Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. -The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. -For unencoded binary data, the length is the number of octets. -For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. +See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. +For `multipart` types, see also [Encoding By Position](#encoding-by-position). -###### Streaming Sequential Media Types +####### Streaming Sequential Media Types The `itemSchema` field is provided to support streaming use cases for sequential media types, with `itemEncoding` as a corresponding encoding mechanism for streaming [positional `multipart` media types](#encoding-by-position). @@ -1635,6 +1394,12 @@ Unlike `schema`, which is applied to the complete content (treated as an array a Both `schema` and `itemSchema` MAY be used in the same Media Type Object. However, doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. +###### Binary Streams + +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. +For unencoded binary data, the length is the number of octets. +For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. + ##### Special Considerations for `text/event-stream` Content @@ -2433,6 +2198,11 @@ call. This object MAY be extended with [Specification Extensions](#specification-extensions). +##### HTTP Status Codes + +The HTTP Status Codes are used to indicate the status of the executed operation. +Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). + ##### Responses Object Example A 200 response for a successful operation and a default response for others (implying an error): @@ -2880,7 +2650,7 @@ Clients follow all links at their discretion. Neither permissions nor the capability to make a successful call to that link is guaranteed solely by the existence of a relationship. -##### `operationRef` Examples +###### `operationRef` Examples As references to `operationId` MAY NOT be possible (the `operationId` is an optional field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: @@ -2940,7 +2710,7 @@ The `name` identifier is case-sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: -##### Examples +###### Example Expressions | Source Location | example expression | notes | | ---- | :---- | :---- | @@ -3301,6 +3071,220 @@ JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI This object MAY be extended with [Specification Extensions](#specification-extensions), though as noted, additional properties MAY omit the `x-` prefix within this object. +##### Data Types + +Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): +"null", "boolean", "object", "array", "number", "string", or "integer". +Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. + +JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. + +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. + +###### Data Type Format + +As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. + +The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. + +Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. +For the purpose of [JSON Schema validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. + +The formats defined by the OAS are: + +| `format` | JSON Data Type | Comments | +| ---- | ---- | ---- | +| `int32` | number | signed 32 bits | +| `int64` | number | signed 64 bits (a.k.a long) | +| `float` | number | | +| `double` | number | | +| `password` | string | A hint to obscure the value. | + +As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. + +##### Parsing and Serializing + +API data has several forms: + +1. The serialized form, which is either a document of a particular media type, an HTTP header value, or part of a URI. +2. The data form, intended for use with a [Schema Object](#schema-object). +3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). + +###### JSON Data + +JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. +The serialized UTF-8 JSON string `{"when": "1985-04-12T23:20:50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23:20:50.52`. + +The exact application form is beyond the scope of this specification, as can be shown with the following schema for our JSON instance: + +```yaml +type: object +properties: + when: + type: string + format: date-time +``` + +Some applications might leave the string as a string regardless of programming language, while others might notice the `format` and use it as a `datetime.datetime` instance in Python, or a `java.time.ZonedDateTime` in Java. +This specification only requires that the data is valid according to the schema, and that [annotations](#extended-validation-with-annotations) such as `format` are available in accordance with the JSON Schema specification. + +###### Non-JSON Data + +Non-JSON serializations can be substantially different from their corresponding data form, and might require several steps to parse. + +To continue our "when" example, if we serialized the object as `application/x-www-form-urlencoded`, it would appear as the ASCII string `when=1985-04-12T23%3A20%3A50.52`. +This example is still straightforward to use as it is all string data, and the only differences from JSON are the URI percent-encoding and the delimiter syntax (`=` instead of JSON punctuation and quoting). + +However, many non-JSON text-based formats can be complex, requiring examination of the appropriate schema(s) in order to correctly parse the text into a schema-ready data structure. +Serializing data into such formats requires either examining the schema-validated data or performing the same schema inspections. + +When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. +These schemas are guaranteed to apply to any instance. +When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, and no other findable `type` keyword disambiguates the actual required type, the behavior is implementation-defined. +Schema Objects that do not contain `type` MUST be considered to allow all types, regardless of which other keywords are present (e.g. `maximum` applies to numbers, but _does not_ require the instance to be a number). + +Implementations MAY inspect subschemas or possible reference targets of other keywords such as `oneOf` or `$dynamicRef`, but MUST NOT attempt to resolve ambiguities. +For example, if an implementation opts to inspect `anyOf`, the schema: + +```yaml +anyOf: +- type: number + minimum: 0 +- type: number + maximum: 100 +``` + +unambiguously indicates a numeric type, but the schema: + +```yaml +anyOf: +- type: number +- maximum: 100 +``` + +does not, because the second subschema allows all types. + +Due to these limited requirements for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. + +Recall also that in JSON Schema, keywords that apply to a specific type (e.g. `pattern` applies to strings, `minimum` applies to numbers) _do not_ require or imply that the data will actually be of that type. + +As an example of these processes, given these OpenAPI components: + +```yaml +components: + requestBodies: + Form: + content: + application/x-www-form-urlencoded: + schema: + $ref: "#/components/schemas/FormData" + encoding: + extra: + contentType: application/xml + schemas: + FormData: + type: object + properties: + code: + allOf: + - type: [string, number] + pattern: "1" + minimum: 0 + - type: string + pattern: "2" + count: + type: integer + extra: + type: object +``` + +And this request body to parse into its data form: + +```uri +code=1234&count=42&extra=%3Cinfo%3Eabc%3C/info%3E +``` + +We must first search the schema for `properties` or other property-defining keywords, and then use each property schema as a starting point for a search for that property's `type` keyword, as follows (the exact order is implementation-defined): + +* `#/components/requestBodies/Form/content/application~1x-www-form-urlencoded/schema` (initial starting point schema, only `$ref`) +* `#/components/schemas/FormData` (follow `$ref`, found `properties`) +* `#/components/schemas/FormData/properties/code` (starting point schema for `code` property) +* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, found `type: [string, number]`) +* `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) +* `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) +* `#/components/schemas/FormData/properties/extra` (starting point schema for `extra` property, found `type: object`) + +Note that for `code` we first found an ambiguous `type`, but then found another `type` keyword that ensures only one of the two possibilities is valid. + +From this inspection, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. +Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. +This means that the data form of this serialization is equivalent to the following JSON object: + +```json +{ + "code": "1234", + "count": 42 + "extra": { + "info": "abc" + } +} +``` + +Serializing this object also requires correlating properties with [Encoding Objects](#encoding-object), and may require inspection to determine a default value of the `contentType` field. +If validated data is not available, the schema inspection process is identical to that shown for parsing. + +In this example, both `code` and `count` are of primitive type and do not appear in the `encoding` field, and are therefore serialized as plain text. +However, the `extra` field is an object, which would by default be serialized as JSON, but the `extra` entry in the `encoding` field tells use to serialize it as XML instead. + +###### Working with Binary Data + +The OAS can describe either _raw_ or _encoded_ binary data. + +* **raw binary** is used where unencoded binary data is allowed, such as when sending a binary payload as the entire HTTP message body, or as part of a `multipart/*` payload that allows binary parts +* **encoded binary** is used where binary data is embedded in a text-only format such as `application/json` or `application/x-www-form-urlencoded` (either as a message body or in the URL query string). + +In the following table showing how to use Schema Object keywords for binary data, we use `image/png` as an example binary media type. Any binary media type, including `application/octet-stream`, is sufficient to indicate binary content. + +| Keyword | Raw | Encoded | Comments | +| ---- | ---- | ---- | ---- | +| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.3) | +| `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | +| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.3) | + +Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. + +Using a `contentEncoding` of `base64url` ensures that URL encoding (as required in the query string and in message bodies of type `application/x-www-form-urlencoded`) does not need to further encode any part of the already-encoded binary data. + +The `contentMediaType` keyword is redundant if the media type is already set: + +* as the key for a [Media Type Object](#media-type-object) +* in the `contentType` field of an [Encoding Object](#encoding-object) + +If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. + +See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. + +####### Schema Evaluation and Binary Data + +Few JSON Schema implementations directly support working with binary data, as doing so is not a mandatory part of that specification. + +OAS Implementations that do not have access to a binary-instance-supporting JSON Schema implementation MUST examine schemas and apply them in accordance with [Working with Binary Data](#working-with-binary-data). +When the entire instance is binary, this is straightforward as few keywords are relevant. + +However, `multipart` media types can mix binary and text-based data, leaving implementations with two options for schema evaluations: + +1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). +2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. + +####### Migrating Binary Descriptions from OAS 3.0 + +The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: + +| OAS < 3.1 | OAS >= 3.1 | Comments | +| ---- | ---- | ---- | +| type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | +| type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | + ##### Extended Validation with Annotations JSON Schema Draft 2020-12 supports [collecting annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-7.7.1), including [treating unrecognized keywords as annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-6.5). @@ -4824,18 +4808,6 @@ It is therefore RECOMMENDED that implementations be designed for extensibility t Support for any one extension is OPTIONAL, and support for one extension does not imply support for others. -### Security Filtering - -Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation. - -The reasoning is to allow an additional layer of access control over the documentation. -While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization. - -Two examples of this: - -1. The [Paths Object](#paths-object) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#info-object) which may contain additional information regarding authentication. -2. The [Path Item Object](#path-item-object) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#paths-object), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. - ## Security Considerations ### OpenAPI Description Formats @@ -4860,6 +4832,18 @@ The rules for connecting a [Security Requirement Object](#security-requirement-o * It is implementation-defined whether a component name used by a Security Requirement Object in a referenced document is resolved from the entry document (RECOMMENDED) or the referenced document. * A Security Requirement Object that uses a URI to identify a Security Scheme Object can have the URI resolution hijacked by providing a Security Scheme component name identical to the URI, as the name lookup behavior takes precedence over URI resolution for compatibility with previous versions of the OAS. +### Security Filtering + +Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation. + +The reasoning is to allow an additional layer of access control over the documentation. +While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization. + +Two examples of this: + +1. The [Paths Object](#paths-object) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#info-object) which may contain additional information regarding authentication. +2. The [Path Item Object](#path-item-object) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#paths-object), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. + ### Handling External Resources OpenAPI Descriptions may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. From fb45114032e88d2155d38516c0e7b90690c96ac5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 25 Aug 2025 11:19:38 -0700 Subject: [PATCH 291/342] Fix heading levels post-section reorganization. --- src/oas.md | 438 ++++++++++++++++++++++++++--------------------------- 1 file changed, 219 insertions(+), 219 deletions(-) diff --git a/src/oas.md b/src/oas.md index 58edea3495..99f5302255 100644 --- a/src/oas.md +++ b/src/oas.md @@ -43,7 +43,7 @@ Behavior described as _implementation-defined_ allows implementations to choose This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. Unlike undefined behavior, it is safe to rely on implementation-defined behavior if _and only if_ it can be guaranteed that all relevant tools support the same behavior. -### Format +## Format An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. Examples in this specification will be shown in YAML for brevity. @@ -57,7 +57,7 @@ Patterned fields MUST have unique names within the containing object. **Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. -#### JSON and YAML Compatibility +### JSON and YAML Compatibility In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). @@ -77,7 +77,7 @@ Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. -### Schema +## Schema This section describes the structure of the OpenAPI Description format. This text is the only normative description of the format. @@ -86,11 +86,11 @@ If the JSON Schema differs from this section, then this section MUST be consider In the following description, if a field is not explicitly **REQUIRED** or described with a MUST or SHALL, it can be considered OPTIONAL. -#### OpenAPI Object +### OpenAPI Object This is the root object of the [OpenAPI Description](#openapi-description). -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -111,7 +111,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten To ensure interoperability, references MUST use the target document's `$self` URI if the `$self` field is present. Implementations MAY choose to support referencing by other URIs such as the retrieval URI even when `$self` is present, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. -##### OpenAPI Description Structure +#### OpenAPI Description Structure An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. @@ -119,15 +119,15 @@ In a multi-document OAD, the document containing the OpenAPI Object where parsin It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. -###### OpenAPI Description +##### OpenAPI Description An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. -###### OpenAPI Document +##### OpenAPI Document An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. -###### Parsing Documents +##### Parsing Documents In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). @@ -152,7 +152,7 @@ A special case of parsing fragments of OAS content would be if such fragments ar Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. -###### Structural Interoperability +##### Structural Interoperability JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: @@ -162,7 +162,7 @@ JSON or YAML objects within an OAD are interpreted as specific Objects (such as If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. -###### Relative References in API Description URIs +##### Relative References in API Description URIs URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. @@ -172,7 +172,7 @@ Note that some URI fields are named `url` for historical reasons, but the descri Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -####### Establishing the Base URI +###### Establishing the Base URI Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). @@ -183,15 +183,15 @@ Implementations MAY support document retrieval, although see the [Security Consi Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. -####### Resolving URI fragments +###### Resolving URI fragments If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). -####### Relative URI References in CommonMark Fields +###### Relative URI References in CommonMark Fields Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. -###### Resolving Implicit Connections +##### Resolving Implicit Connections Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). @@ -229,12 +229,12 @@ The behavior for Discriminator Object non-URI mappings and for the Operation Obj Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. -#### Info Object +### Info Object The object provides metadata about the API. The metadata MAY be used by the clients if needed, and MAY be presented in editing or documentation generation tools for convenience. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -248,7 +248,7 @@ The metadata MAY be used by the clients if needed, and MAY be presented in editi This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Info Object Example +#### Info Object Example ```yaml title: Example Pet Store App @@ -265,11 +265,11 @@ license: version: 1.0.1 ``` -#### Contact Object +### Contact Object Contact information for the exposed API. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -279,7 +279,7 @@ Contact information for the exposed API. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Contact Object Example +#### Contact Object Example ```yaml name: API Support @@ -287,11 +287,11 @@ url: https://www.example.com/support email: support@example.com ``` -#### License Object +### License Object License information for the exposed API. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -301,18 +301,18 @@ License information for the exposed API. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### License Object Example +#### License Object Example ```yaml name: Apache 2.0 identifier: Apache-2.0 ``` -#### Server Object +### Server Object An object representing a Server. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -325,7 +325,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten See [Examples of API Base URL Determination](#examples-of-api-base-url-determination) for examples of resolving relative server URLs. -##### Relative References in API URLs +#### Relative References in API URLs API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. @@ -334,7 +334,7 @@ Unless specified otherwise, all fields that are URLs MAY be relative references Because the API is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. -###### Examples of API Base URL Determination +##### Examples of API Base URL Determination Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: @@ -353,7 +353,7 @@ servers: For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. -##### Server Object Example +#### Server Object Example A single server would be described as: @@ -400,7 +400,7 @@ servers: default: v2 ``` -#### Server Variable Object +### Server Variable Object An object representing a Server Variable for server URL template substitution. @@ -433,7 +433,7 @@ Each server variable MUST NOT appear more than once in the URL template. See the [Paths Object](#paths-object) for guidance on constructing full request URLs. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -443,12 +443,12 @@ See the [Paths Object](#paths-object) for guidance on constructing full request This object MAY be extended with [Specification Extensions](#specification-extensions). -#### Components Object +### Components Object Holds a set of reusable objects for different aspects of the OAS. All objects defined within the Components Object will have no effect on the API unless they are explicitly referenced from outside the Components Object. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :---- | ---- | @@ -478,7 +478,7 @@ user-name my.org.User ``` -##### Components Object Example +#### Components Object Example ```yaml components: @@ -550,12 +550,12 @@ components: read:pets: read your pets ``` -#### Paths Object +### Paths Object Holds the relative paths to the individual endpoints and their operations. The path is appended to the URL from the [Server Object](#server-object) in order to construct the full URL. The Paths Object MAY be empty, due to [Access Control List (ACL) constraints](#security-filtering). -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | @@ -563,7 +563,7 @@ The path is appended to the URL from the [Server Object](#server-object) in orde This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Path Templating +#### Path Templating Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. @@ -594,7 +594,7 @@ Each template expression MUST NOT appear more than once in a single path templat See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. -###### Path Templating Matching +##### Path Templating Matching Assuming the following paths, the concrete definition, `/pets/mine`, will be matched first if used: @@ -617,7 +617,7 @@ The following may lead to ambiguous resolution: /books/{id} ``` -##### Paths Object Example +#### Paths Object Example ```yaml /pets: @@ -634,13 +634,13 @@ The following may lead to ambiguous resolution: $ref: '#/components/schemas/pet' ``` -#### Path Item Object +### Path Item Object Describes the operations available on a single path. A Path Item MAY be empty, due to [ACL constraints](#security-filtering). The path itself is still exposed to the documentation viewer but they will not know which operations and parameters are available. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -662,7 +662,7 @@ The path itself is still exposed to the documentation viewer but they will not k This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Path Item Object Example +#### Path Item Object Example ```yaml get: @@ -716,11 +716,11 @@ additionalOperations: $ref: '#/components/schemas/ErrorModel' ``` -#### Operation Object +### Operation Object Describes a single API operation on a path. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -739,7 +739,7 @@ Describes a single API operation on a path. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Operation Object Example +#### Operation Object Example ```yaml tags: @@ -784,11 +784,11 @@ security: - read:pets ``` -#### External Documentation Object +### External Documentation Object Allows referencing an external resource for extended documentation. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -797,14 +797,14 @@ Allows referencing an external resource for extended documentation. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### External Documentation Object Example +#### External Documentation Object Example ```yaml description: Find more info here url: https://example.com ``` -#### Parameter Object +### Parameter Object Describes a single operation parameter. @@ -812,7 +812,7 @@ A unique parameter is defined by a combination of a [name](#parameter-name) and See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns, including interactions with the `application/x-www-form-urlencoded` query string format. -##### Parameter Locations +#### Parameter Locations There are five possible parameter locations specified by the `in` field: @@ -822,13 +822,13 @@ There are five possible parameter locations specified by the `in` field: * header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. -##### Fixed Fields +#### Fixed Fields The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a `content` field or a `schema` field, but not both. See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used with either `content` or `schema`. @@ -849,7 +849,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten Note that while `"Cookie"` as a `name` is not forbidden if `in` is `"header"`, the effect of defining a cookie parameter that way is undefined; use `in: "cookie"` instead. -###### Fixed Fields for use with `schema` +##### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter-style) can describe the structure and syntax of the parameter. @@ -872,7 +872,7 @@ In these cases, implementations MUST pass values through unchanged rather than a See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. -###### Fixed Fields for use with `content` +##### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. @@ -882,7 +882,7 @@ For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [E | ---- | :----: | ---- | | content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | -##### Style Values +#### Style Values In order to support common ways of serializing simple parameters, a set of `style` values are defined. @@ -897,7 +897,7 @@ In order to support common ways of serializing simple parameters, a set of `styl | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | | cookie | `primitive`, `array`, `object` | `cookie` | Analogous to `form`, but following [[RFC6265]] `Cookie` syntax rules, meaning that name-value pairs are separated by a semicolon followed by a single space (e.g. `n1=v1; n2=v2`), and no percent-encoding or other escaping is applied; data values that require any sort of escaping MUST be provided in escaped form. | -##### URL Percent-Encoding +#### URL Percent-Encoding All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. @@ -927,7 +927,7 @@ See also: * [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies. * [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986. -##### Serialization and Examples +#### Serialization and Examples The rules in this section apply to both the Parameter and [Header](#header-object) Objects, both of which use the same mechanisms. @@ -946,7 +946,7 @@ See the [Header Object](#header-object) for special rules for showing examples o The following section illustrates these rules. -##### Style Examples +#### Style Examples Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: @@ -982,7 +982,7 @@ The following table shows serialized examples, as would be shown with the `seria | cookie | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | | cookie | true | color= | color=blue | color=blue; color=black; color=brown | R=100; G=200; B=150 | -##### Extending Support for Querystring Formats +#### Extending Support for Querystring Formats Many frameworks define query string syntax for complex values, such as appending array indices to parameter names or indicating multiple levels of of nested objects, which go well beyond the capabilities of the `deepObject` style. @@ -992,7 +992,7 @@ Two avenues are available for supporting such formats with `in: "querystring"`: * Use `content` and `text/plain` with a schema of `type: "string"` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option * Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and a process for mapping in-memory data to the serialized media type. To increase the likelihood of support across multiple tools, submit a registration for the media type and process to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). -##### Parameter Object Examples +#### Parameter Object Examples A header parameter with an array of 64-bit integer numbers: @@ -1249,11 +1249,11 @@ Assuming a path of `/foo` and a server of `https://example.com`, the full URL in https://example.com/foo?%24.a.b%5B1%3A1%5D ``` -#### Request Body Object +### Request Body Object Describes a single request body. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -1263,7 +1263,7 @@ Describes a single request body. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Request Body Examples +#### Request Body Examples A request body with a referenced schema definition. @@ -1296,7 +1296,7 @@ content: externalValue: https://foo.bar/examples/user-example.whatever ``` -#### Media Type Object +### Media Type Object Each Media Type Object describes content structured in accordance with the media type identified by its key. Multiple Media Type Objects can be used to describe content that can appear in any of several different media types. @@ -1305,7 +1305,7 @@ When `example` or `examples` are provided, the example SHOULD match the specifie The `example` and `examples` fields are mutually exclusive. See [Working With Examples](#working-with-examples) for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -1321,7 +1321,7 @@ This object MAY be extended with [Specification Extensions](#specification-exten See also the [Media Type Registry](#media-type-registry). -##### Media Types +#### Media Types Media type definitions are spread across several resources. The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). @@ -1346,7 +1346,7 @@ The use of the Schema Object with other media types is handled by mapping them i These mappings may be implicit based on the media type, or explicit based on the values of particular fields. Each mapping is addressed where the relevant media type is discussed in this section or under the [Media Type Object](#media-type-object) or [Encoding Object](#encoding-object) -###### Media Type Registry +##### Media Type Registry While the [Schema Object](#schema-object) is designed to describe and validate JSON, several other media types are commonly used in APIs. Requirements regarding support for other media types are documented in this Media Types section and in several Object sections later in this specification. @@ -1354,13 +1354,13 @@ For convenience and future extensibility, these are cataloged in the OpenAPI Ini See also the [Media Type Object](#media-type-object) for further information on working with specific media types. -##### Complete vs Streaming Content +#### Complete vs Streaming Content The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. Use cases where clients are intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. -###### Sequential Media Types +##### Sequential Media Types Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, without any sort of header, footer, envelope, or other metadata in addition to the sequence. @@ -1385,7 +1385,7 @@ Implementations MUST support mapping sequential media types into the JSON Schema See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. For `multipart` types, see also [Encoding By Position](#encoding-by-position). -####### Streaming Sequential Media Types +###### Streaming Sequential Media Types The `itemSchema` field is provided to support streaming use cases for sequential media types, with `itemEncoding` as a corresponding encoding mechanism for streaming [positional `multipart` media types](#encoding-by-position). @@ -1394,7 +1394,7 @@ Unlike `schema`, which is applied to the complete content (treated as an array a Both `schema` and `itemSchema` MAY be used in the same Media Type Object. However, doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. -###### Binary Streams +##### Binary Streams The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. For unencoded binary data, the length is the number of octets. @@ -1402,7 +1402,7 @@ For this use case, `maxLength` MAY be implemented outside of regular JSON Schema -##### Special Considerations for `text/event-stream` Content +#### Special Considerations for `text/event-stream` Content For `text/event-stream`, implementations MUST work with event data after it has been parsed according to the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream), including all guidance on ignoring certain fields (including comments) and/or values, and on combining values split across multiple lines. @@ -1430,12 +1430,12 @@ properties: minimum: 0 ``` -##### Encoding Usage and Restrictions +#### Encoding Usage and Restrictions These encoding fields define how to map each [Encoding Object](#encoding object) to a specific value in the data. Each field has its own set of media types with which it can be used; for all other media types all three fields SHALL be ignored. -###### Encoding By Name +##### Encoding By Name The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. @@ -1452,7 +1452,7 @@ See [[!RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. -###### Encoding By Position +##### Encoding By Position Most `multipart` media types, including `multipart/mixed` which defines the underlying rules for parsing all `multipart` types, do not have named parts. Data for these media types are modeled as an array, with one item per part, in order. @@ -1463,7 +1463,7 @@ As with `prefixItems`, it is _not_ an error if the instance array is shorter tha The `itemEncoding` field can also be used with `itemSchema` to support streaming `multipart` content. -###### Additional Encoding Approaches +##### Additional Encoding Approaches The `prefixEncoding` field can be used with any `multipart` content to require a fixed part order. This includes `multipart/form-data`, for which the Encoding Object's `headers` field MUST be used to provide the `Content-Disposition` and part name, as no property names exist to provide the names automatically. @@ -1471,11 +1471,11 @@ This includes `multipart/form-data`, for which the Encoding Object's `headers` f Prior versions of this specification advised using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part with `multipart` media types other than `multipart/form-data` in order to work around the limitations of the `encoding` field. Implementations MAY choose to support this workaround, but as this usage is not common, implementations of non-`form-data` `multipart` media types are unlikely to support it. -##### Media Type Examples +#### Media Type Examples For form-related and `multipart` media type examples, see the [Encoding Object](#encoding-object). -###### JSON +##### JSON Note that since this example is written in YAML, the Example Object's `value` field can be formatted as YAML due to the trivial conversion to JSON. This avoids needing to embed JSON as a string. @@ -1534,7 +1534,7 @@ application/json: $ref: '#/components/examples/frog-example' ``` -###### Sequential JSON +##### Sequential JSON For any [sequential media type](#sequential-media-types) where the items in the sequence are JSON values, no conversion of each value is required. JSON Text Sequences ([[?RFC7464]] `application/json-seq` and [[?RFC8091]] the `+json-seq` structured suffix), [JSON Lines](https://jsonlines.org/) (`application/jsonl`), and [NDJSON](https://github.com/ndjson/ndjson-spec) (`application/x-ndjson`) are all in this category. @@ -1643,7 +1643,7 @@ Our `application/json-seq` example has to be an external document because of the } ``` -###### Server-Sent Event Streams +##### Server-Sent Event Streams For this example, assume that the generic event schema provided in the [Special Considerations for `text/event-stream` Content](#considerations-event-stream) section is available at `#/components/schemas/Event`: @@ -1713,7 +1713,7 @@ To more clearly see how this stream is handled, the following is the equivalent {"event": "addJSON", "data": "{\"foo\": 42}"} ``` -##### Considerations for File Uploads +#### Considerations for File Uploads In contrast to OpenAPI 2.0, `file` input/output content in OAS 3.x is described with the same semantics as any other schema type. @@ -1764,7 +1764,7 @@ requestBody: To upload multiple files, a `multipart` media type MUST be used as shown under [Example: Multipart Form with Multiple Files](#example-multipart-form-with-multiple-files). -#### Encoding Object +### Encoding Object A single encoding definition applied to a single value, with the mapping of Encoding Objects to values determined by the [Media Type Object](@media-type-object) as described under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). @@ -1772,9 +1772,9 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of convertin See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -##### Fixed Fields +#### Fixed Fields -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. @@ -1806,7 +1806,7 @@ Determining how to handle a `type` value of `null` depends on how `null` values If `null` values are entirely omitted, then the `contentType` is irrelevant. See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type conversion options. -###### Fixed Fields for RFC6570-style Serialization +##### Fixed Fields for RFC6570-style Serialization | Field Name | Type | Description | | ---- | :----: | ---- | @@ -1820,19 +1820,19 @@ See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-b Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. -##### Nested Encoding +#### Nested Encoding Nested formats requiring encoding, most notably nested `multipart/mixed`, can be supported with this Object's `encoding`, `prefixEncoding`, and / or `itemEncoding` fields. Implementations MUST support one level of nesting, and MAY support additional levels. -##### Encoding the `x-www-form-urlencoded` Media Type +#### Encoding the `x-www-form-urlencoded` Media Type To work with content using form url encoding via [[WHATWG-URL]], use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). This configuration means that the content MUST be percent-encoded per [[WHATWG-URL]]'s rules for that media type, after any complex objects have been serialized to a string representation. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -###### Example: URL Encoded Form with JSON Values +##### Example: URL Encoded Form with JSON Values When there is no [`encoding`](#media-type-encoding) field, the serialization strategy is based on the Encoding Object's default values: @@ -1877,7 +1877,7 @@ Here is the `id` parameter (without `address`) serialized as `application/json` id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ``` -###### Example: URL Encoded Form with Binary Values +##### Example: URL Encoded Form with Binary Values Note that `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: @@ -1912,20 +1912,20 @@ Note that the `=` padding characters at the end need to be percent-encoded, even Some base64-decoding implementations may be able to use the string without the padding per [RFC4648](https://datatracker.ietf.org/doc/html/rfc4648#section-3.2). However, this is not guaranteed, so it may be more interoperable to keep the padding and rely on percent-decoding. -##### Encoding `multipart` Media Types +#### Encoding `multipart` Media Types See [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) for guidance on correlating schema properties with parts. Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). -###### Handling Multiple `contentType` Values +##### Handling Multiple `contentType` Values When multiple values are provided for `contentType`, parsing remains straightforward as the part's actual `Content-Type` is included in the document. For encoding and serialization, implementations MUST provide a mechanism for applications to indicate which media type is intended. Implementations MAY choose to offer media type sniffing ([[SNIFF]]) as an alternative, but this MUST NOT be the default behavior due to the security risks inherent in the process. -###### `Content-Transfer-Encoding` and `contentEncoding` +##### `Content-Transfer-Encoding` and `contentEncoding` Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. @@ -1937,7 +1937,7 @@ Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-dat See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -###### Example: Basic Multipart Form +##### Example: Basic Multipart Form When the `encoding` field is _not_ used, the encoding is determined by the Encoding Object's defaults: @@ -1969,7 +1969,7 @@ requestBody: $ref: '#/components/schemas/Address' ``` -###### Example: Multipart Form with Encoding Objects +##### Example: Multipart Form with Encoding Objects Using `encoding`, we can set more specific types for binary data, or non-JSON formats for complex values. We can also describe headers for each part: @@ -2010,7 +2010,7 @@ requestBody: type: integer ``` -###### Example: Multipart Form with Multiple Files +##### Example: Multipart Form with Multiple Files In accordance with [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3), multiple files for a single form field are uploaded using the same name (`file` in this example) for each file's part: @@ -2028,7 +2028,7 @@ requestBody: As seen in the [Encoding Object's `contentType` field documentation](#encoding-content-type), the empty schema for `items` indicates a media type of `application/octet-stream`. -###### Example: Ordered, Unnamed Multipart +##### Example: Ordered, Unnamed Multipart A `multipart/mixed` payload consisting of a JSON metadata document followed by an image which the metadata describes: @@ -2060,7 +2060,7 @@ multipart/mixed: - contentType: image/* ``` -###### Example: Ordered Multipart With Required Header +##### Example: Ordered Multipart With Required Header As described in [[?RFC2557]], a set of resources making up a web page can be sent in a `multipart/related` payload, preserving links from the `text/html` document to subsidiary resources such as scripts, style sheets, and images by defining a `Content-Location` header for each page. The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against and is forbidden in this example), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. @@ -2108,7 +2108,7 @@ components: $ref: '#/components/headers/RFC2557ContentLocation' ``` -###### Example: Streaming Multipart +##### Example: Streaming Multipart This example assumes a device that takes large sets of pictures and streams them to the caller. Unlike the previous example, we use `itemSchema` here because the expectation is that each image is processed as it arrives (or in small batches), since we know that buffering the entire stream will take too much memory. @@ -2121,7 +2121,7 @@ multipart/mixed: contentType: image/jpg ``` -###### Example: Streaming Byte Ranges +##### Example: Streaming Byte Ranges For `multipart/byteranges` [[RFC9110]] [Section 14.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-14.6), a `Content-Range` header is required: @@ -2144,7 +2144,7 @@ multipart/byteranges: type: string ``` -###### Example: Nested `multipart/mixed` +##### Example: Nested `multipart/mixed` This defines a two-part `multipart/mixed` where the first part is a JSON array and the second part is a nested `multipart/mixed` document. The nested parts are XML, plain text, and a PNG image. @@ -2169,7 +2169,7 @@ multipart/mixed: - contentType: image/png ``` -#### Responses Object +### Responses Object A container for the expected responses of an operation. The container maps a HTTP response code to the expected response. @@ -2184,13 +2184,13 @@ The Responses Object MUST contain at least one response code, and if only one response code is provided it SHOULD be the response for a successful operation call. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | | default | [Response Object](#response-object) \| [Reference Object](#reference-object) | The documentation of responses other than the ones declared for specific HTTP response codes. Use this field to cover undeclared responses. | -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | @@ -2198,12 +2198,12 @@ call. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### HTTP Status Codes +#### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). -##### Responses Object Example +#### Responses Object Example A 200 response for a successful operation and a default response for others (implying an error): @@ -2222,12 +2222,12 @@ default: $ref: '#/components/schemas/ErrorModel' ``` -#### Response Object +### Response Object Describes a single response from an API operation, including design-time, static `links` to operations based on the response. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2239,7 +2239,7 @@ Describes a single response from an API operation, including design-time, static This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Response Object Examples +#### Response Object Examples Response of an array of a complex type: @@ -2293,7 +2293,7 @@ Response with no return value: description: object created ``` -#### Callback Object +### Callback Object A map of possible out-of band callbacks related to the parent operation. Each value in the map is a [Path Item Object](#path-item-object) that describes a set of requests that may be initiated by the API provider and the expected responses. @@ -2301,7 +2301,7 @@ The key value used to identify the Path Item Object is an expression, evaluated To describe incoming requests from the API provider independent from another API call, use the [`webhooks`](#oas-webhooks) field. -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | @@ -2309,7 +2309,7 @@ To describe incoming requests from the API provider independent from another API This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Key Expression +#### Key Expression The key that identifies the [Path Item Object](#path-item-object) is a [runtime expression](#runtime-expressions) that can be evaluated in the context of a runtime HTTP request/response to identify the URL to be used for the callback request. A simple example might be `$request.body#/url`. @@ -2354,7 +2354,7 @@ The following examples show how the various expressions evaluate, assuming the c | $request.body#/successUrls/1 | | | $response.header.Location | | -##### Callback Object Examples +#### Callback Object Examples The following example uses the user provided `queryUrl` query string parameter to define the callback URL. This is similar to a [webhook](#oas-webhooks), but differs in that the callback only occurs because of the initial request that sent the `queryUrl`. @@ -2390,14 +2390,14 @@ transactionCallback: description: callback successfully processed ``` -#### Example Object +### Example Object An object grouping an internal or external example value with basic `summary` and `description` metadata. The examples can show either data suitable for schema validation, or serialized data as required by the containing [Media Type Object](#media-type-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). This object is typically used in fields named `examples` (plural), and is a [referenceable](#reference-object) alternative to older `example` (singular) fields that do not support referencing or metadata. The various fields and types of examples are explained in more detail under [Working With Examples](#working-with-examples). -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2414,7 +2414,7 @@ In all cases, the example value SHOULD be compatible with the schema of its asso Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. See [Validating Examples](#validating-examples) for the exact meaning of "compatible" for each field in this Object. -##### Working with Examples +#### Working with Examples Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). In all three Objects, this is done through the `examples` (plural) field. @@ -2422,7 +2422,7 @@ However, there are several other ways to provide examples: The `example` (singul We will refer to the singular `example` field in the Parameter, Header, or Media Type Object, which has the same behavior as a single Example Object with only the `value` field, as the "shorthand `example`" field. Each of these fields has slightly different considerations. -###### JSON-Compatible and `value`-Safe Examples +##### JSON-Compatible and `value`-Safe Examples The `value` and the shorthand `example` field are intended to have the same _semantics_ as `serializedValue` (or `externalValue`), while allowing a more convenient _syntax_ when there is no difference between a JSON (or [JSON-compatible YAML](#format)) representation and the final serialized form. When using this syntax for `application/json` or any `+json` media type, these fields effectively behave like `dataValue`, as the serialization is trivial, and they are safe to use. @@ -2432,7 +2432,7 @@ For data that consists of a single string, and a serialization target such as `t For other serialization targets, the ambiguity of the phrase "naturally be represented in JSON or YAML," as well as past errors in the parameter style examples table, have resulted in inconsistencies in the support and usage of these fields. In practice, this has resulted in the `value` and shorthand `example` fields having implementation-defined behavior for non-JSON targets; OAD authors SHOULD use other fields to ensure interoperability. -###### Choosing Which Field(s) to Use +##### Choosing Which Field(s) to Use Keeping in mind the caveats from the previous section, and that the shorthand `example` can be used in place of `value` if there is only one Example Object involved, use the following guidelines to determine which field to use. @@ -2453,7 +2453,7 @@ The `serializedValue` and `externalValue` fields both MUST show the serialized f For Media Type Objects, this is a document of the appropriate media type, with any Encoding Object effects applied. For Parameter and Header Objects using `schema` and `style` rather than a Media Type Object, see [Style Examples](#style-examples) for what constitutes a serialized value. -###### Criteria for `serializedExample` +##### Criteria for `serializedExample` A serialization can be represented as a valid Unicode string in `serializedValue` if any of the following are true of the serialization: @@ -2465,7 +2465,7 @@ In all of these cases, the conversion from the character set of the OAD (presume For `externalValue`, if the character set is neither explicitly stated nor determined by the format or media type specification, implementations SHOULD assume UTF-8. -###### Validating Examples +##### Validating Examples Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. For examples that are in schema-ready data form, this is straightforward. @@ -2474,9 +2474,9 @@ With serialized examples, some formats allow multiple possible valid representat In some cases, parsing the serialized example and validating the resulting data can eliminate the ambiguity, but in a few cases parsing is also ambiguous. Therefore, OAD authors are cautioned that validation of certain serialized examples is by necessity a best-effort feature. -##### Example Object Examples +#### Example Object Examples -###### JSON Examples +##### JSON Examples When writing in YAML, JSON syntax can be used for `dataValue` (as shown in the `noRating` example) but is not required. While this example shows the behavior of both `dataValue` and `serializedValue` for JSON (in the 'withRating` example), in most cases only the data form is needed. @@ -2520,7 +2520,7 @@ content: } ``` -###### Binary Examples +##### Binary Examples Fully binary data is shown using `externalValue`: @@ -2533,7 +2533,7 @@ content: externalValue: ./examples/2-by-2-red-pixels.png ``` -###### Boolean Query Parameter Examples +##### Boolean Query Parameter Examples Since there is no standard for serializing boolean values (as discussed in [Appendix B](#appendix-b-data-type-conversion)), this example uses `dataValue` and `serializedValue` to show how booleans are serialized for this particular parameter: @@ -2552,7 +2552,7 @@ examples: serializedValue: flag=false ``` -#### Link Object +### Link Object The Link Object represents a possible design-time link for a response. The presence of a link does not guarantee the caller's ability to successfully invoke it, rather it provides a known relationship and traversal mechanism between responses and other operations. @@ -2561,7 +2561,7 @@ Unlike _dynamic_ links (i.e. links provided **in** the response payload), the OA For computing links and providing instructions to execute them, a [runtime expression](#runtime-expressions) is used for accessing values in an operation and using them as parameters while invoking the linked operation. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2583,7 +2583,7 @@ In such ambiguous cases, the resulting behavior is implementation-defined and MA Note that it is not possible to provide a constant value to `parameters` that matches the syntax of a runtime expression. It is possible to have ambiguous parameter names, e.g. `name: "id", in: "path"` and `name: "path.id", in: "query"`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query parameter). -##### Examples +#### Examples Computing a link from a request operation where the `$request.path.id` is used to pass a request parameter to the linked operation. @@ -2650,7 +2650,7 @@ Clients follow all links at their discretion. Neither permissions nor the capability to make a successful call to that link is guaranteed solely by the existence of a relationship. -###### `operationRef` Examples +##### `operationRef` Examples As references to `operationId` MAY NOT be possible (the `operationId` is an optional field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: @@ -2678,7 +2678,7 @@ links: Note that in the use of `operationRef` the _escaped forward-slash_ is necessary when using JSON Pointer, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively, when using JSON Pointer as URI fragments. -##### Runtime Expressions +#### Runtime Expressions Runtime expressions allow defining values based on information that will only be available within the HTTP message in an actual API call. This mechanism is used by [Link Objects](#link-object) and [Callback Objects](#callback-object). @@ -2710,7 +2710,7 @@ The `name` identifier is case-sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: -###### Example Expressions +##### Example Expressions | Source Location | example expression | notes | | ---- | :---- | :---- | @@ -2725,7 +2725,7 @@ The table below provides examples of runtime expressions and examples of their u Runtime expressions preserve the type of the referenced value. Expressions can be embedded into string values by surrounding the expression with `{}` curly braces. -#### Header Object +### Header Object Describes a single header for [HTTP responses](#response-headers) and for [individual parts in `multipart` representations](#encoding-headers); see the relevant [Response Object](#response-object) and [Encoding Object](#encoding-object) documentation for restrictions on which headers can be described. @@ -2735,9 +2735,9 @@ The Header Object follows the structure of the [Parameter Object](#parameter-obj 1. `in` MUST NOT be specified, it is implicitly in `header`. 1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. -##### Fixed Fields +#### Fixed Fields -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used with either `content` or `schema`. @@ -2753,7 +2753,7 @@ The `example` and `examples` fields are mutually exclusive; see [Working with Ex This object MAY be extended with [Specification Extensions](#specification-extensions). -###### Fixed Fields for use with `schema` +##### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. @@ -2768,7 +2768,7 @@ Implementations MUST pass header values through unchanged rather than attempting See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. -###### Fixed Fields for use with `content` +##### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#header-content) field can define the media type and schema of the header, as well as give examples of its use. @@ -2776,7 +2776,7 @@ For more complex scenarios, the [`content`](#header-content) field can define th | ---- | :----: | ---- | | content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | -##### Modeling Link Headers +#### Modeling Link Headers [[!RFC9264]] defines the `application/linkset` and `application/linkset+json` media types. The former is exactly the format of HTTP link header values except allowing additional whitespace for readability, while the latter is an equivalent JSON representation of such headers. @@ -2837,7 +2837,7 @@ components: $ref: '#/components/mediaTypes/CollectionLinks' ``` -##### Representing the `Set-Cookie` Header +#### Representing the `Set-Cookie` Header The `Set-Cookie` header is noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) as an exception to the normal rules of headers with multiple values. @@ -2931,7 +2931,7 @@ Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT Set-Cookie: urlSafeData=Hello%2C%20world%21 ``` -##### Header Object Example +#### Header Object Example A simple header of type `integer`: @@ -2957,12 +2957,12 @@ ETag: example: '"xyzzy"' ``` -#### Tag Object +### Tag Object Adds metadata to a single tag that is used by the [Operation Object](#operation-object). It is not mandatory to have a Tag Object per tag defined in the Operation Object instances. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2975,7 +2975,7 @@ It is not mandatory to have a Tag Object per tag defined in the Operation Object This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Tag Object Example +#### Tag Object Example ```yaml tags: @@ -2996,7 +2996,7 @@ tags: kind: audience ``` -#### Reference Object +### Reference Object A simple object to allow referencing other components in the OpenAPI Description, internally and externally. @@ -3004,7 +3004,7 @@ The `$ref` string value contains a URI [RFC3986](https://tools.ietf.org/html/rfc See the rules for resolving [Relative References](#relative-references-in-api-description-uris). -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -3016,25 +3016,25 @@ This object cannot be extended with additional properties, and any properties ad Note that this restriction on additional properties is a difference between Reference Objects and [Schema Objects](#schema-object) that contain a `$ref` keyword. -##### Reference Object Example +#### Reference Object Example ```yaml $ref: '#/components/schemas/Pet' ``` -##### Relative Schema Document Example +#### Relative Schema Document Example ```yaml $ref: Pet.yaml ``` -##### Relative Documents with Embedded Schema Example +#### Relative Documents with Embedded Schema Example ```yaml $ref: definitions.yaml#/Pet ``` -#### Schema Object +### Schema Object The Schema Object allows the definition of input and output data types. These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. @@ -3044,7 +3044,7 @@ For more information about the keywords, see [JSON Schema Core](https://www.ietf Unless stated otherwise, the keyword definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. -##### JSON Schema Keywords +#### JSON Schema Keywords The OpenAPI Schema Object [dialect](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8). @@ -3060,7 +3060,7 @@ In addition to the JSON Schema keywords comprising the OAS dialect, the Schema O JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.1.2) value of `false`. The OAS base vocabulary is comprised of the following keywords: -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -3071,7 +3071,7 @@ JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI This object MAY be extended with [Specification Extensions](#specification-extensions), though as noted, additional properties MAY omit the `x-` prefix within this object. -##### Data Types +#### Data Types Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): "null", "boolean", "object", "array", "number", "string", or "integer". @@ -3081,7 +3081,7 @@ JSON Schema keywords and `format` values operate on JSON "instances" which may b Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. -###### Data Type Format +##### Data Type Format As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. @@ -3102,7 +3102,7 @@ The formats defined by the OAS are: As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. -##### Parsing and Serializing +#### Parsing and Serializing API data has several forms: @@ -3110,7 +3110,7 @@ API data has several forms: 2. The data form, intended for use with a [Schema Object](#schema-object). 3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). -###### JSON Data +##### JSON Data JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. The serialized UTF-8 JSON string `{"when": "1985-04-12T23:20:50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23:20:50.52`. @@ -3128,7 +3128,7 @@ properties: Some applications might leave the string as a string regardless of programming language, while others might notice the `format` and use it as a `datetime.datetime` instance in Python, or a `java.time.ZonedDateTime` in Java. This specification only requires that the data is valid according to the schema, and that [annotations](#extended-validation-with-annotations) such as `format` are available in accordance with the JSON Schema specification. -###### Non-JSON Data +##### Non-JSON Data Non-JSON serializations can be substantially different from their corresponding data form, and might require several steps to parse. @@ -3236,7 +3236,7 @@ If validated data is not available, the schema inspection process is identical t In this example, both `code` and `count` are of primitive type and do not appear in the `encoding` field, and are therefore serialized as plain text. However, the `extra` field is an object, which would by default be serialized as JSON, but the `extra` entry in the `encoding` field tells use to serialize it as XML instead. -###### Working with Binary Data +##### Working with Binary Data The OAS can describe either _raw_ or _encoded_ binary data. @@ -3264,7 +3264,7 @@ If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. -####### Schema Evaluation and Binary Data +###### Schema Evaluation and Binary Data Few JSON Schema implementations directly support working with binary data, as doing so is not a mandatory part of that specification. @@ -3276,7 +3276,7 @@ However, `multipart` media types can mix binary and text-based data, leaving imp 1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). 2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. -####### Migrating Binary Descriptions from OAS 3.0 +###### Migrating Binary Descriptions from OAS 3.0 The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: @@ -3285,18 +3285,18 @@ The following table shows how to migrate from OAS 3.0 binary data descriptions, | type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | | type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | -##### Extended Validation with Annotations +#### Extended Validation with Annotations JSON Schema Draft 2020-12 supports [collecting annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-7.7.1), including [treating unrecognized keywords as annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-6.5). OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. -###### Non-Validating Constraint Keywords +##### Non-Validating Constraint Keywords The [`format` keyword (when using default format-annotation vocabulary)](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. Extended validation is one way that these constraints MAY be enforced. -###### Validating `readOnly` and `writeOnly` +##### Validating `readOnly` and `writeOnly` The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. @@ -3308,9 +3308,9 @@ Even when read-only fields are not required, stripping them is burdensome for cl Note that the behavior of `readOnly` in particular differs from that specified by version 3.0 of this specification. -##### Data Modeling Techniques +#### Data Modeling Techniques -###### Composition and Inheritance (Polymorphism) +##### Composition and Inheritance (Polymorphism) The OpenAPI Specification allows combining and extending model definitions using the `allOf` keyword of JSON Schema, in effect offering model composition. `allOf` takes an array of object definitions that are validated _independently_ but together compose a single object. @@ -3330,7 +3330,7 @@ There are two ways to define the value of a discriminating property for an inher * Use the schema name. * [Override the schema name](#discriminator-mapping) by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. -###### Generic (Template) Data Structures +##### Generic (Template) Data Structures Implementations SHOULD support defining generic or template data structures using JSON Schema's dynamic referencing feature: @@ -3339,18 +3339,18 @@ Implementations SHOULD support defining generic or template data structures usin An example is included in the [Schema Object Examples](#schema-object-examples) section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. -###### Annotated Enumerations +##### Annotated Enumerations The Schema Object's `enum` keyword does not allow associating descriptions or other information with individual values. Implementations MAY support recognizing a `oneOf` or `anyOf` where each subschema in the keyword's array consists of a `const` keyword and annotations such as `title` or `description` as an enumerated type with additional information. The exact behavior of this pattern beyond what is required by JSON Schema is implementation-defined. -###### XML Modeling +##### XML Modeling The [xml](#schema-xml) field allows extra definitions when translating the JSON definition to XML. The [XML Object](#xml-object) contains additional information about the available options. -##### Specifying Schema Dialects +#### Specifying Schema Dialects It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. @@ -3361,16 +3361,16 @@ To allow use of a different default `$schema` value for all Schema Objects conta For standalone JSON Schema documents that do not set `$schema`, or for Schema Objects in OpenAPI description documents that are _not_ [complete documents](#openapi-description-structure), the dialect SHOULD be assumed to be the OAS dialect. However, for maximum interoperability, it is RECOMMENDED that OpenAPI description authors explicitly set the dialect through `$schema` in such documents. -##### Schema Object Examples +#### Schema Object Examples -###### Primitive Example +##### Primitive Example ```yaml type: string format: email ``` -###### Simple Model +##### Simple Model ```yaml type: object @@ -3387,7 +3387,7 @@ properties: minimum: 0 ``` -###### Model with Map/Dictionary Properties +##### Model with Map/Dictionary Properties For a simple string to string mapping: @@ -3405,7 +3405,7 @@ additionalProperties: $ref: '#/components/schemas/ComplexModel' ``` -###### Model with Annotated Enumeration +##### Model with Annotated Enumeration ```yaml oneOf: @@ -3417,7 +3417,7 @@ oneOf: description: Specify colors with the cyan, magenta, yellow, and black subtractive color model ``` -###### Model with Example +##### Model with Example ```yaml type: object @@ -3434,7 +3434,7 @@ examples: id: 1 ``` -###### Models with Composition +##### Models with Composition ```yaml components: @@ -3462,7 +3462,7 @@ components: type: string ``` -###### Models with Polymorphism Support +##### Models with Polymorphism Support The following example describes a `Pet` model that can represent either a cat or a dog, as distinguished by the `petType` property. Each type of pet has other properties beyond those of the base `Pet` model. An instance without a `petType` property, or with a `petType` property that does not match either `cat` or `dog`, is invalid. @@ -3512,7 +3512,7 @@ components: - packSize ``` -###### Models with Polymorphism Support and a Discriminator Object +##### Models with Polymorphism Support and a Discriminator Object The following example extends the example of the previous section by adding a [Discriminator Object](#discriminator-object) to the `Pet` schema. Note that the Discriminator Object is only a hint to the consumer of the API and does not change the validation outcome of the schema. @@ -3568,7 +3568,7 @@ components: - packSize ``` -###### Models with Polymorphism Support using `allOf` and a Discriminator Object +##### Models with Polymorphism Support using `allOf` and a Discriminator Object It is also possible to describe polymorphic models using `allOf`. The following example uses `allOf` with a [Discriminator Object](#discriminator-object) to describe a polymorphic `Pet` model. @@ -3619,7 +3619,7 @@ components: - packSize ``` -###### Generic Data Structure Model +##### Generic Data Structure Model ```yaml components: @@ -3670,7 +3670,7 @@ components: $ref: array_of_numbers ``` -#### Discriminator Object +### Discriminator Object When request bodies or response payloads may be one of a number of different schemas, these should use the JSON Schema `anyOf` or `oneOf` keywords to describe the possible schemas (see [Composition and Inheritance](#composition-and-inheritance-polymorphism)). @@ -3680,7 +3680,7 @@ The Discriminator Object does this by implicitly or explicitly associating the p Note that `discriminator` MUST NOT change the validation outcome of the schema. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -3690,7 +3690,7 @@ Note that `discriminator` MUST NOT change the validation outcome of the schema. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Conditions for Using the Discriminator Object +#### Conditions for Using the Discriminator Object The Discriminator Object is legal only when using one of the composite keywords `oneOf`, `anyOf`, `allOf`. @@ -3703,7 +3703,7 @@ This is because `discriminator` cannot change the validation outcome, and no sta The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminator` that is not described above is undefined. -##### Options for Mapping Values to Schemas +#### Options for Mapping Values to Schemas The value of the property named in `propertyName` is used as the name of the associated schema under the [Components Object](#components-object), _unless_ a `mapping` is present for that value. The `mapping` entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. @@ -3714,7 +3714,7 @@ To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI re Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined. -##### Optional Discriminating Property +#### Optional Discriminating Property When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. This allows the schema to still be validated correctly even if the discriminating property is missing. @@ -3735,7 +3735,7 @@ OtherPet: This prevents the `defaultMapping` schema from validating a payload that includes the discriminating property with a mapped discriminating value, which would cause a validation to fail when polymorphism is described using the `oneOf` JSON schema keyword. -##### Examples +#### Examples For these examples, assume all schemas are in the [entry document](#openapi-description-structure) of the OAD; for handling of `discriminator` in referenced documents see [Resolving Implicit Connections](#resolving-implicit-connections). @@ -3878,12 +3878,12 @@ will indicate that the `#/components/schemas/Cat` schema is expected to match. L will map to `#/components/schemas/Dog` because the `dog` entry in the `mapping` element maps to `Dog` which is the schema name for `#/components/schemas/Dog`. -#### XML Object +### XML Object A metadata object that allows for more fine-tuned XML model definitions. When using a Schema Object with XML, if no XML Object is present, the behavior is determined by the XML Object's default field values. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -3901,7 +3901,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of convertin This object MAY be extended with [Specification Extensions](#specification-extensions). -##### XML Node Types +#### XML Node Types Each Schema Object describes a particular type of XML [[!DOM]] [node](https://dom.spec.whatwg.org/#interface-node) which is specified by the `nodeType` field, which has the following possible values. Except for the special value `none`, these values have numeric equivalents in the DOM specification which are given in parentheses after the name: @@ -3914,7 +3914,7 @@ Except for the special value `none`, these values have numeric equivalents in th The `none` type is useful for JSON Schema constructs that require more Schema Objects than XML nodes, such as a schema containing only `$ref` that exists to facilitate re-use rather than imply any structure. -###### Modeling Element Lists +##### Modeling Element Lists For historical compatibility, schemas of `type: "array"` default to `nodeType: "none"`, placing the nodes for each array item directly under the parent node. This also aligns with the inferred naming behavior defined under [XML Node Names](#xml-node-names). @@ -3923,7 +3923,7 @@ To produce an element wrapping the list, set an explicit `nodeType: "element"` o When doing so, it is advisable to set an explicit name on either the wrapping element or the item elements to avoid them having the same inferred name. See examples for expected behavior. -###### Implicit and Explicit `text` Nodes +##### Implicit and Explicit `text` Nodes If an `element` node has a primitive type, then the schema also produces an implicit `text` node described by the schema for the contents of the `element` node named by the property name (or `name` field). @@ -3931,7 +3931,7 @@ Explicit `text` nodes are necessary if an element has both attributes and conten Note that placing two `text` nodes adjacent to each other is ambiguous for parsing, and the resulting behavior is implementation-defined. -##### XML Node Names +#### XML Node Names The `element` and `attribute` node types require a name, which MUST be inferred from the schema as follows, unless overridden by the `name` field: @@ -3941,14 +3941,14 @@ The `element` and `attribute` node types require a name, which MUST be inferred Note that when using arrays, singular vs plural forms are _not_ inferred, and must be set explicitly. -##### Namespace Limitations +#### Namespace Limitations The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: * Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI" ("non-relative IRI" as of OAS v3.2.0), so authors using namespaces that include a fragment should check tooling support carefully. * XML allows but discourages relative IRI-references, while this specification outright forbids them. -##### Handling `null` Values +#### Handling `null` Values XML does not, by default, have a concept equivalent to `null`, and to preserve compatibility with version 3.1.1 and earlier of this specification, the behavior of serializing `null` values is implementation-defined. @@ -3964,12 +3964,12 @@ However, because there is no distinct way to represent `null` as an attribute, i To ensure correct round-trip behavior, when parsing an element that omits an attribute, implementations SHOULD set the corresponding property to `null` if the schema allows for that value (e.g. `type: ["number", "null"]`), and omit the property otherwise (e.g.`type: "number"`). -##### XML Object Examples +#### XML Object Examples The Schema Objects are followed by an example XML representation produced for the schema shown. For examples using `attribute` or `wrapped`, please see version 3.1 of the OpenAPI Specification. -###### No XML Object +##### No XML Object Basic string property without an XML Object, using `serializedValue` (the remaining examples will use `externalValue` so that the XML form can be shown with syntax highlighting): @@ -4022,7 +4022,7 @@ Where `./examples/pets.xml` would be: ``` -###### XML Name Replacement +##### XML Name Replacement ```yaml application/xml: @@ -4052,7 +4052,7 @@ Where `./examples/pets.xml` would be: ``` -###### XML Attribute, Prefix and Namespace +##### XML Attribute, Prefix and Namespace Note that the name of the root XML element comes from the component name. @@ -4094,7 +4094,7 @@ Where `./examples/Person.xml` would be: ``` -###### XML Arrays +##### XML Arrays Changing the element names: @@ -4304,7 +4304,7 @@ Where `./examples/pets.xml` would be: ``` -###### Elements With Attributes And Text +##### Elements With Attributes And Text ```yaml application/xml: @@ -4343,7 +4343,7 @@ Where `./examples/pets.xml` would be: ``` -###### Referenced Element With CDATA +##### Referenced Element With CDATA In this example, no element is created for the Schema Object that contains only the `$ref`, as its `nodeType` defaults to `none`. It is necessary to create a subschema for the CDATA section as otherwise the content would be treated as an implicit node of type `text`. @@ -4448,7 +4448,7 @@ and `./examples/updated.xml` would be: ``` -###### Ordered Elements and Text +##### Ordered Elements and Text To control the exact order of elements, use the `prefixItems` keyword. With this approach, it is necessary to set the element names using the XML Object as they would otherwise all inherit the parent's name despite being different elements in a specific order. @@ -4547,7 +4547,7 @@ Where `./examples/Report.xml` would be: Some preamble text.42Some postamble text. ``` -###### XML With `null` Values +##### XML With `null` Values Recall that the schema validates the in-memory data, not the XML document itself. This example does not define properties for `"related"` as it is showing how @@ -4615,14 +4615,14 @@ and `./examples/productNoNulls.xml` would be: ``` -#### Security Scheme Object +### Security Scheme Object Defines a security scheme that can be used by the operations. Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), OAuth2 device authorization flow as defined in [RFC8628](https://tools.ietf.org/html/rfc8628), and [[OpenID-Connect-Core]]. Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | @@ -4639,16 +4639,16 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Security Scheme Object Examples +#### Security Scheme Object Examples -###### Basic Authentication Example +##### Basic Authentication Example ```yaml type: http scheme: basic ``` -###### API Key Example +##### API Key Example ```yaml type: apiKey @@ -4656,7 +4656,7 @@ name: api-key in: header ``` -###### JWT Bearer Example +##### JWT Bearer Example ```yaml type: http @@ -4664,14 +4664,14 @@ scheme: bearer bearerFormat: JWT ``` -###### MutualTLS Example +##### MutualTLS Example ```yaml type: mutualTLS description: Cert must be signed by example.com CA ``` -###### Implicit OAuth2 Example +##### Implicit OAuth2 Example ```yaml type: oauth2 @@ -4683,11 +4683,11 @@ flows: read:pets: read your pets ``` -#### OAuth Flows Object +### OAuth Flows Object Allows configuration of the supported OAuth Flows. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -4699,11 +4699,11 @@ Allows configuration of the supported OAuth Flows. This object MAY be extended with [Specification Extensions](#specification-extensions). -#### OAuth Flow Object +### OAuth Flow Object Configuration details for a supported OAuth Flow -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | @@ -4715,7 +4715,7 @@ Configuration details for a supported OAuth Flow This object MAY be extended with [Specification Extensions](#specification-extensions). -##### OAuth Flow Object Example +#### OAuth Flow Object Example ```yaml type: oauth2 @@ -4733,7 +4733,7 @@ flows: read:pets: read your pets ``` -#### Security Requirement Object +### Security Requirement Object Lists the required security schemes to execute this operation. @@ -4751,23 +4751,23 @@ This enables support for scenarios where the API allows multiple, independent se An empty Security Requirement Object (`{}`) indicates anonymous access is supported. -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | | {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | -##### Security Requirement Object Examples +#### Security Requirement Object Examples See also [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. -###### Non-OAuth2 Security Requirement +##### Non-OAuth2 Security Requirement ```yaml api_key: [] ``` -###### OAuth2 Security Requirement +##### OAuth2 Security Requirement This example uses a component name for the Security Scheme. @@ -4777,7 +4777,7 @@ petstore_auth: - read:pets ``` -###### Optional OAuth2 Security +##### Optional OAuth2 Security This example uses a relative URI reference for the Security Scheme. @@ -4791,7 +4791,7 @@ security: - read:pets ``` -### Specification Extensions +## Specification Extensions While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points. From 1328ee8a59e30cd7290b90a01f902bfa93794cd5 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 28 Aug 2025 10:56:52 +0200 Subject: [PATCH 292/342] Parameter Object with in:querystring can't have content and content cannot be used with style --- .../parameter-object-content-not-with-style.yaml | 14 ++++++++++++++ ...rameter-object-querystring-not-with-schema.yaml | 11 +++++++++++ 2 files changed, 25 insertions(+) create mode 100644 tests/schema/fail/parameter-object-content-not-with-style.yaml create mode 100644 tests/schema/fail/parameter-object-querystring-not-with-schema.yaml diff --git a/tests/schema/fail/parameter-object-content-not-with-style.yaml b/tests/schema/fail/parameter-object-content-not-with-style.yaml new file mode 100644 index 0000000000..7a16b89aa8 --- /dev/null +++ b/tests/schema/fail/parameter-object-content-not-with-style.yaml @@ -0,0 +1,14 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + parameters: + content-not-with-style: + in: querystring + name: json + content: + application/json: + schema: + type: object + style: simple diff --git a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml new file mode 100644 index 0000000000..4f4cf98666 --- /dev/null +++ b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + parameters: + querystring-not-with-schema: + in: querystring + name: json + schema: + type: object From 3f1df3fdff63af6c014acaa3ac4852b28b3a0635 Mon Sep 17 00:00:00 2001 From: Ethan Date: Wed, 27 Aug 2025 22:18:56 -0700 Subject: [PATCH 293/342] OAD schema 'parameter object' + in: querystring drop `not`+`required` subschema This subschema would only forbid the presence of all four properties, rather than any of them, but it is superfluous as these properties are caught by `unevaluatedProperties: false`. --- src/schemas/validation/schema.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index ca24651c50..e658ceb745 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -392,12 +392,6 @@ $defs: then: required: - content - not: - required: - - schema - - style - - explode - - allowReserved dependentSchemas: schema: properties: From 14e56678aa8d444580658d23f05498f106a79f42 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 22 Aug 2025 10:11:27 -0700 Subject: [PATCH 294/342] Merge Versions and Deprecation sections --- src/oas.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index 99f5302255..94f9f68cd4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -16,20 +16,18 @@ For examples of OpenAPI usage and additional documentation, please visit [[?Open For extension registries and other specifications published by the OpenAPI Initiative, as well as the authoritative rendering of this specification, please visit [spec.openapis.org](https://spec.openapis.org/). -### Versions +### Versions and Deprecation The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versioning scheme. The `major`.`minor` portion of the version string (for example `3.1`) SHALL designate the OAS feature set. _`.patch`_ versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.\* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between `3.1.0` and `3.1.1` for example. -Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. - -### Deprecation - Certain fields or features may be marked **Deprecated**. These fields and features remain part of the specification and can be used like any other field or feature. However, OpenAPI Description authors should use newer fields and features documented to replace the deprecated ones whenever possible. At this time, such elements are expected to remain part of the OAS until the next major version, although a future minor version of this specification may define a policy for later removal of deprecated elements. +Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. + ### Undefined and Implementation-Defined Behavior This specification deems certain situations to have either _undefined_ or _implementation-defined_ behavior. @@ -94,7 +92,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). | Field Name | Type | Description | | ---- | :----: | ---- | -| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | | $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix G]((#appendix-g-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | From 2c56b007c3f64a7d8f5cc80938bff8d6c1cb649e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 22 Aug 2025 10:13:27 -0700 Subject: [PATCH 295/342] Remove outdated Server Object crossref The topic is now in the next section under the Server Object --- src/oas.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 94f9f68cd4..bb94ae3018 100644 --- a/src/oas.md +++ b/src/oas.md @@ -321,8 +321,6 @@ An object representing a Server. This object MAY be extended with [Specification Extensions](#specification-extensions). -See [Examples of API Base URL Determination](#examples-of-api-base-url-determination) for examples of resolving relative server URLs. - #### Relative References in API URLs API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. From 445d76f62da3ed15bb2002118c183448bee45bc5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 22 Aug 2025 13:25:32 -0700 Subject: [PATCH 296/342] Rename "Schema" to "Objects and Fields" --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index bb94ae3018..0dc33c781a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -49,7 +49,7 @@ Examples in this specification will be shown in YAML for brevity. All field names in the specification are **case sensitive**. This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. -The [schema](#schema) exposes two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. +OAS [Objects](#objects-and-fields) expose two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. Patterned fields MUST have unique names within the containing object. @@ -75,7 +75,7 @@ Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. -## Schema +## Objects and Fields This section describes the structure of the OpenAPI Description format. This text is the only normative description of the format. From f80a4cd49fc31ac140b142de1c392b6d6991848e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 27 Aug 2025 09:03:05 -0700 Subject: [PATCH 297/342] Add links to Introduction. This adds some links to key sections that introduce major concepts that used to be in the introductory sections of the OAS. It insures that concepts like the difference between serialized and in-memory data, as well as the multi-document structure of OADs, are quickly noticed in a top-to-bottom reading (rare as those may be). --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0dc33c781a..0408555572 100644 --- a/src/oas.md +++ b/src/oas.md @@ -8,9 +8,9 @@ This document is licensed under [The Apache License, Version 2.0](https://www.ap ## Introduction -The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. +The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service by [parsing and serializing](#parsing-and-serializing) HTTP messages to and from a [data model](#data-types) with a minimal amount of implementation logic. -An OpenAPI Description can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. +An [OpenAPI Description](#openapi-description-structure) (OAD) can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. For examples of OpenAPI usage and additional documentation, please visit [[?OpenAPI-Learn]]. From 2b4c061afa03d0ca5af74581f59096a6795c588e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 28 Aug 2025 10:52:35 -0700 Subject: [PATCH 298/342] Remove counter-intuitive section name hack. --- src/oas.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0408555572..b1d4f002e6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1396,9 +1396,7 @@ The `maxLength` keyword MAY be used to set an expected upper bound on the length For unencoded binary data, the length is the number of octets. For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. - - -#### Special Considerations for `text/event-stream` Content +#### Special Considerations for Server-Sent Events For `text/event-stream`, implementations MUST work with event data after it has been parsed according to the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream), including all guidance on ignoring certain fields (including comments) and/or values, and on combining values split across multiple lines. @@ -1641,7 +1639,7 @@ Our `application/json-seq` example has to be an external document because of the ##### Server-Sent Event Streams -For this example, assume that the generic event schema provided in the [Special Considerations for `text/event-stream` Content](#considerations-event-stream) section is available at `#/components/schemas/Event`: +For this example, assume that the generic event schema provided in the [Special Considerations for `text/event-stream` Content](#special-considerations-for-server-sent-events) section is available at `#/components/schemas/Event`: ```yaml description: A request body to add a stream of typed data. From 5a17b018b3c0d93c53ce51bd18fe903d9516088a Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 14 Aug 2025 09:13:54 -0700 Subject: [PATCH 299/342] Improve Link Object Examples Ports from 3.1 the Link Object example description improvements. The related section tweaks were included in the larger 3.2 section reorganization. --- src/oas.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 99f5302255..c18b5b0115 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2652,8 +2652,10 @@ solely by the existence of a relationship. ##### `operationRef` Examples -As references to `operationId` MAY NOT be possible (the `operationId` is an optional -field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: +As the `operationId` is an optional field in an [Operation Object](#operation-object), references MAY instead be made through a URI-reference with `operationRef`. +Note that both of these examples reference operations that can be identified via the [Paths Object](#paths-object) to ensure that the operation's path template is unambiguous. + +A relative URI-reference `operationRef`: ```yaml links: @@ -2664,7 +2666,7 @@ links: username: $response.body#/username ``` -or a URI `operationRef`: +A non-relative URI `operationRef`: ```yaml links: @@ -2675,8 +2677,9 @@ links: username: $response.body#/username ``` -Note that in the use of `operationRef` the _escaped forward-slash_ is necessary when -using JSON Pointer, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively, when using JSON Pointer as URI fragments. +Note that in the use of `operationRef` the _escaped forward-slash_ (`~1`) is necessary when +using JSON Pointer in URI fragments, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively. +The unescaped, percent-decoded path template in the above examples would be `/2.0/repositories/{username}`. #### Runtime Expressions From cc1d673992a323ea7b0c50b498ee12e5bfe5be4c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 26 Aug 2025 19:57:56 -0700 Subject: [PATCH 300/342] Port review feedback from v3.1-dev This did not get caught in the initial change review for 3.2. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c18b5b0115..bab4806db3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1810,7 +1810,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies if either `explode` or `allowReserved` are explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies only when `contentType` is _not_ being used due to one or both of `explode` or `allowReserved` being explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | From 61177cbd9990c53988a1bf7f6b247ee650978d4f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 28 Aug 2025 10:44:08 -0700 Subject: [PATCH 301/342] Fix outdated RFC ref ported from 3.1 --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index bab4806db3..38d97b2d3a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5172,7 +5172,7 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies HTTP headers have inconsistent rules regarding what characters are allowed, and how some or all disallowed characters can be escaped and included. -While the `quoted-string` ABNF rule given in [[RFC7230]] [Section 3.2.6](https://httpwg.org/specs/rfc7230.html#field.components) is the most common escaping solution, it is not sufficiently universal to apply automatically. +While the `quoted-string` ABNF rule given in [[RFC9110]] [Section 5.4.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.4) is the most common escaping solution, it is not sufficiently universal to apply automatically. For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the contents), and a weak `ETag` looks like `W/"foo"` (note that only part of the value is quoted); the contents of the quotes for this header are also not escaped in the way `quoted-string` contents are. For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes. From de847019b94611ec106f3f64d9c3a5e9f49e720e Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 31 Aug 2025 16:24:17 -0700 Subject: [PATCH 302/342] Fix the moved Media Types section A lot of this content is outdated, unnecessary, or otherwise in need of changing. * Be more clear about the OpenAPI vs IANA registries. * We do not need to list out all of GitHub's custom media types, and it's better to link to the IANA registry for examples. * The RFC for registering media types should be informative, not normative, if we even need it at all. * We can merge the Sequential Media Types section into the section on Complete vs Streaming Content, and reorder those sections a bit to read more smoothly. * Dump a lot of text that is now better addressed by the "Parsing and Serializing" section under the Schema Object. --- src/oas.md | 43 +++++++++++-------------------------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/src/oas.md b/src/oas.md index 99f5302255..0256733c91 100644 --- a/src/oas.md +++ b/src/oas.md @@ -990,7 +990,7 @@ As these are not standards, and often contradict each other, the OAS does not at Two avenues are available for supporting such formats with `in: "querystring"`: * Use `content` and `text/plain` with a schema of `type: "string"` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option -* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and a process for mapping in-memory data to the serialized media type. To increase the likelihood of support across multiple tools, submit a registration for the media type and process to the OpenAPI Initiative's [Media Type Registry](#media-type-registry). +* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and a process for mapping in-memory data to the serialized media type. To increase the likelihood of support across multiple tools, submit a registration for the media type and process to the OpenAPI Initiative's [Media Type Registry](#openapi-media-type-registry). #### Parameter Object Examples @@ -1241,7 +1241,7 @@ examples: serializedValue: "%24.a.b%5B1%3A1%5D" ``` -As there is not, as of this writing, a [registered](#media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. +As there is not, as of this writing, a [registered](#openapi-media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporating the value from `serializedValue` would be: @@ -1319,40 +1319,19 @@ See [Working With Examples](#working-with-examples) for further guidance regardi This object MAY be extended with [Specification Extensions](#specification-extensions). -See also the [Media Type Registry](#media-type-registry). - #### Media Types -Media type definitions are spread across several resources. -The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). +Media types are publicly registered with the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml), through process documented in [[?RFC6838]]. -Some examples of possible media type definitions: +APIs also sometimes define private media types such as GitHub's `application/vnd.github.v3+json`, which are not registered, and other media types such as `application/schema+json` become widely used before an intended registration. -```text - text/plain; charset=utf-8 - application/json - application/vnd.github+json - application/vnd.github.v3+json - application/vnd.github.v3.raw+json - application/vnd.github.v3.text+json - application/vnd.github.v3.html+json - application/vnd.github.v3.full+json - application/vnd.github.v3.diff - application/vnd.github.v3.patch -``` - -JSON-based and JSON-compatible YAML-based media types can make direct use of the [Schema Object](#schema-object) as the Object uses JSON Schema. -The use of the Schema Object with other media types is handled by mapping them into the JSON Schema [instance data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-instance-data-model). -These mappings may be implicit based on the media type, or explicit based on the values of particular fields. -Each mapping is addressed where the relevant media type is discussed in this section or under the [Media Type Object](#media-type-object) or [Encoding Object](#encoding-object) - -##### Media Type Registry - -While the [Schema Object](#schema-object) is designed to describe and validate JSON, several other media types are commonly used in APIs. -Requirements regarding support for other media types are documented in this Media Types section and in several Object sections later in this specification. -For convenience and future extensibility, these are cataloged in the OpenAPI Initiative's [Media Type Registry](https://spec.openapis.org/registry/media-type/), which indicates where in this specification the relevant requirements can be found. - -See also the [Media Type Object](#media-type-object) for further information on working with specific media types. +See [Parsing and Serializing](#parsing-and-serializing) under the [Schema Object](#schema-object) for guidance on using schemas with a variety of media types. + +##### OpenAPI Media Type Registry + +The OpenAPI Initiative maintains a [Media Type Registry](https://spec.openapis.org/registry/media-type/) summarizing media type support expected by this specification and providing an index to which sections address which media types. +It also links to IANA registrations (where they exist) and to the most notable specification document(s) related to each media type. +Any additional media types added to this registry as extensions or for later versions of this or other OpenAPI specifications MAY be supported by implementations of this version of the OAS. #### Complete vs Streaming Content From dc5dad66bf9b393931e0e4677cba9579b5df9a28 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Sun, 31 Aug 2025 16:07:00 -0700 Subject: [PATCH 303/342] "example" and "examples" cannot appear together This affects the places where examples are used: parameter, header, and media-type objects for #4598. --- src/schemas/validation/schema.yaml | 4 ++++ tests/schema/fail/example-examples.yaml | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 tests/schema/fail/example-examples.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index e658ceb745..0717e2632f 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -1089,6 +1089,10 @@ $defs: type: object additionalProperties: $ref: '#/$defs/example-or-reference' + not: + required: + - example + - examples map-of-strings: type: object diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml new file mode 100644 index 0000000000..eb91f13338 --- /dev/null +++ b/tests/schema/fail/example-examples.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 + +# this example should fail, as example cannot be used together with examples. + +info: + title: API + version: 1.0.0 +components: + parameters: + animal: + name: animal + in: header + schema: {} + example: bear + examples: + a mammalian example: + dataValue: bear + + + From e857e6ec8be17d89c83c5224bdf6bd74853013a6 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 28 Aug 2025 15:22:17 -0700 Subject: [PATCH 304/342] Refactor OpenAPI Description Structure sections * Remove "OpenAPI Description" and "OpenAPI Document" section headings and reorder those paragraphs and the intro "OpenAPI Description Structure" paragraph to define the terms inline * Switch Appendixes F and G * F->G stays as-is, with base URI examples * G->F is expanded to a more general "Parsing and Resolution Guidance" section * Move several pieces of "Parsing Documents" to Appendix G * How to parse complete documents as the intro section * A "Warnings Regarding Fragmentary Parsing" section * Move "Structural Interoperability" under Appendix G and rename it to "Conflicts Between Field Types and Reference Contexts" * Move most of "Resolving Implicit Connections to Appendix G and rename it "Guidance Regarding Implicit Connections" * Put the original Section F implicit connection examples as a "Implicit Connection Resolution Examples" subsection Minimal adjustments were made to links to keep the build functional. --- src/oas.md | 327 +++++++++++++++++++++++++++-------------------------- 1 file changed, 164 insertions(+), 163 deletions(-) diff --git a/src/oas.md b/src/oas.md index 5e3b888817..5ade1bd36a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -86,14 +86,14 @@ In the following description, if a field is not explicitly **REQUIRED** or descr ### OpenAPI Object -This is the root object of the [OpenAPI Description](#openapi-description). +This is the root object of the [OpenAPI Description](#openapi-description-structure). #### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | | openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | -| $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix G]((#appendix-g-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | +| $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be an array consisting of a single [Server Object](#server-object) with a [url](#server-url) value of `/`. | @@ -111,55 +111,26 @@ Implementations MAY choose to support referencing by other URIs such as the retr #### OpenAPI Description Structure +An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. + +An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. + An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. -##### OpenAPI Description - -An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. - -##### OpenAPI Document - -An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. - ##### Parsing Documents In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. -Implementations MAY support complete-document parsing in any of the following ways: - -* Detecting OpenAPI or JSON Schema documents using media types -* Detecting OpenAPI documents through the root `openapi` field -* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification -* Detecting a document containing a referenceable Object at its root based on the expected type of the reference -* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object - -Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. -In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. -While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. - -While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. -This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. - A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. -##### Structural Interoperability - -JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: - -* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object -* As the Object type implied by its parent Object within the document -* As a reference target, with the Object type matching the reference source's context - -If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. - ##### Relative References in API Description URIs URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. @@ -172,7 +143,7 @@ Unless specified otherwise, all fields that are URIs MAY be relative references ###### Establishing the Base URI -Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix G: Examples of Base URI Determination and Reference Resolution](#appendix-g-examples-of-base-uri-determination-and-reference-resolution). +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix F: Examples of Base URI Determination and Reference Resolution](#appendix-f-examples-of-base-uri-determination-and-reference-resolution). If `$self` is a relative URI-reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. @@ -196,35 +167,6 @@ Several features of this specification require resolution of non-URI-based conne These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: -| Source | Target | Alternative | -| ---- | ---- | ---- | -| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | -| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | -| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | -| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | - -A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. -This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. - -It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. -This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. - -The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. -For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. -The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. -This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. - -For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. -This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. - -The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. - -There are no URI-based alternatives for the Operation Object's `tags` field. -OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. - -See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. -The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. - Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. ### Info Object @@ -4735,7 +4677,7 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor #### Security Requirement Object Examples -See also [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. +See also [Implicit Connection Resolution Examples](#implicit-connection-resolution-examples) in [Appendix G](#appendix-g-parsing-and-resolution-guidance) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. ##### Non-OAuth2 Security Requirement @@ -5263,103 +5205,7 @@ For maximum interoperability, it is RECOMMENDED to either define and document an The exact method of additional encoding/escaping is left to the API designer, and is expected to be performed before serialization and encoding described in this specification, and reversed after this specification's encoding and serialization steps are reversed. This keeps it outside of the processes governed by this specification. -## Appendix F: Resolving Security Requirements in a Referenced Document - -This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. See [Resolving Implicit Connections](#resolving-implicit-connections) for more information. - -First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: - -```http -GET /api/description/openapi HTTP/1.1 -Host: www.example.com -Accept: application/openapi+json -``` - -```json -"components": { - "securitySchemes": { - "MySecurity": { - "type": "http", - "scheme": "bearer", - "bearerFormat": "JWT" - } - } -}, -"paths": { - "/foo": { - "$ref": "other#/components/pathItems/Foo" - } -} -``` - -```http -GET /api/description/openapi HTTP/1.1 -Host: www.example.com -Accept: application/openapi+yaml -``` - -```yaml -components: - securitySchemes: - MySecurity: - type: http - scheme: bearer - bearerFormat: JWT -paths: - /foo: - $ref: 'other#/components/pathItems/Foo' -``` - -This entry document references another document, `other`, without using a file extension. This gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: - -```http -GET /api/description/other HTTP/1.1 -Host: www.example.com -Accept: application/openapi+json -``` - -```json -"components": { - "securitySchemes": { - "MySecurity": { - "type": "http", - "scheme": "basic" - } - }, - "pathItems": { - "Foo": { - "get": { - "security": [ - "MySecurity": [] - ] - } - } - } -} -``` - -```http -GET /api/description/other HTTP/1.1 -Host: www.example.com -Accept: application/openapi+yaml -``` - -```yaml -components: - securitySchemes: - MySecurity: - type: http - scheme: basic - pathItems: - Foo: - get: - security: - - MySecurity: [] -``` - -In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. - -## Appendix G: Examples of Base URI Determination and Reference Resolution +## Appendix F: Examples of Base URI Determination and Reference Resolution This section shows each of the four possible sources of base URIs, followed by an example with a relative `$self` and `$id`. @@ -5573,3 +5419,158 @@ components: In this example, all of the `$self` and `$id` values are relative URI-references consisting of an absolute path. This allows the retrieval URI to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). + +## Appendix G: Parsing and Resolution Guidance + +Implementations MAY support complete-document parsing in any of the following ways: + +* Detecting OpenAPI or JSON Schema documents using media types +* Detecting OpenAPI documents through the root `openapi` field +* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification +* Detecting a document containing a referenceable Object at its root based on the expected type of the reference +* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object + +### Warnings Regarding Fragmentary Parsing + +Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. +In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. + +While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. +This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. + +### Conflicts Between Field Types and Reference Contexts + +JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: + +* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object +* As the Object type implied by its parent Object within the document +* As a reference target, with the Object type matching the reference source's context + +If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. + +### Guidance Regarding Implicit Connections + +| Source | Target | Alternative | +| ---- | ---- | ---- | +| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | +| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | +| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | +| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | + +A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. +This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. + +It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. +This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. + +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. +For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. +The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. + +For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. + +The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. + +There are no URI-based alternatives for the Operation Object's `tags` field. +OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. + +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. + +#### Implicit Connection Resolution Examples + +This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. See [Resolving Implicit Connections](#resolving-implicit-connections) for more information. + +First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: + +```http +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "bearer", + "bearerFormat": "JWT" + } + } +}, +"paths": { + "/foo": { + "$ref": "other#/components/pathItems/Foo" + } +} +``` + +```http +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: bearer + bearerFormat: JWT +paths: + /foo: + $ref: 'other#/components/pathItems/Foo' +``` + +This entry document references another document, `other`, without using a file extension. This gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: + +```http +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "basic" + } + }, + "pathItems": { + "Foo": { + "get": { + "security": [ + "MySecurity": [] + ] + } + } + } +} +``` + +```http +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: basic + pathItems: + Foo: + get: + security: + - MySecurity: [] +``` + +In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. From 9e49f96aa36fce47ec601b442114b2e13f358fc3 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 28 Aug 2025 16:51:25 -0700 Subject: [PATCH 305/342] Streamline OpenAPI Description Structure post-moves A lot of what was here is no longer needed, and other things can be said better either because of the new arrangement or because I thought of better wording since I first wrote things. In particular, get rid of the awkward Document vs document distinction by banishing discussion of small-d documents to the appendix. --- src/oas.md | 101 +++++++++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 45 deletions(-) diff --git a/src/oas.md b/src/oas.md index 5ade1bd36a..09985b6de3 100644 --- a/src/oas.md +++ b/src/oas.md @@ -43,7 +43,7 @@ Unlike undefined behavior, it is safe to rely on implementation-defined behavior ## Format -An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. +An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. Examples in this specification will be shown in YAML for brevity. All field names in the specification are **case sensitive**. @@ -90,9 +90,11 @@ This is the root object of the [OpenAPI Description](#openapi-description-struct #### Fixed Fields +In addition to the required fields, at least one of the `components`, `paths`, or `webhooks` fields MUST be present. + | Field Name | Type | Description | | ---- | :----: | ---- | -| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the API [`info.version`](#info-version) string. | | $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | @@ -111,35 +113,38 @@ Implementations MAY choose to support referencing by other URIs such as the retr #### OpenAPI Description Structure -An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. +An **OpenAPI Description** (**OAD**) formally describes the surface of an API and its semantics. +An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by varoius fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving implicit connections). -An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. +In order for parsing behavior to be well-defined, all documents in an OAD MUST have either an OpenAPI Object or a Schema Object at the root, and MUST be parsed as complete documents, as described in the next section. -An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. +Documents with a different Object at the root, or that mix OAD content with other content, MAY be supported, but will have implementation-defined or, potentially, undefined behavior as described in [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance). +Throughout this specification, documents are assumed to have either an OpenAPI Object or Schema Object at the root unless otherwise specified. In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. +It is RECOMMENDED that the entry document of an OAD be named `openapi.json` or `openapi.yaml`. -It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. +An OpenAPI Object MAY be embedded in another format, called the **embedding format**, just as JSON Schema is embedded in the OAS in the form of Schema Objects. +It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. ##### Parsing Documents -In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). +Each document in an OAD MUST be fully parsed in order to locate possible reference targets, including the OpenAPI Object's [`$self`](#oas-self) field and the [Schema Object's](#schema-object) `$id`, `$anchor`, and `$dynamicAnchor` keywords. +This includes the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). -This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. +Implementations MUST NOT treat a reference as unresolvable before completely parsing all documents provided to the implementation as possible parts of the OAD. -A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. -Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. -It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. +If only the referenced part of the document is parsed when resolving a reference, the resulting behavior can be implementation-defined or undefined; see [Warnings Regarding Fragmentary Parsing](#warnings-regarding-fragmentary-parsing) in [Appendix G](#appendix-g-parsing-and-resolution-guidance) for details. ##### Relative References in API Description URIs -URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9) and associating them with their expected URIs, which might not match their current location. -This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. - +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**, in contrast with [API URLs](#relative-references-in-api-urls). Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. -Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). +As noted under [Parsing Documents](#parsing-documents), several fields can be used to associate an OpenAPI document or a Schema Object with a URI, which might not match the document or schema's location. +This allows the same references to be used in different deployment environments, including local filesystems or networks restricted by security policies or connectivity limitations. + +Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [[RFC3986]] [Section 4.2](https://tools.ietf.org/html/rfc3986#section-4.2). ###### Establishing the Base URI @@ -150,7 +155,7 @@ If `$self` is a relative URI-reference, it is resolved against the next possible The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. -Therefore, all implementations SHOULD allow users to provide the intended retrieval URI for each document so that references can be resolved as if retrievals were performed. +Therefore, all implementations SHOULD allow users to provide documents with their intended retrieval URIs so that references can be resolved as if retrievals were performed. ###### Resolving URI fragments @@ -165,10 +170,15 @@ Relative references in CommonMark hyperlinks are resolved in their rendered cont Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. -In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: +In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to use the alternative to maximize interoperability. + +For resolving [Components Object](#components-object) and [Tag Object](#tag-object) names from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +For resolving an [Operation Object](#operation-object) based on an `operationId`, it is RECOMMENDED to consider all Operation Objects from all parsed documents. Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. +See [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance) for more details, including a list of Objects and fields using implicit connections. + ### Info Object The object provides metadata about the API. @@ -184,7 +194,7 @@ The metadata MAY be used by the clients if needed, and MAY be presented in editi | termsOfService | `string` | A URI for the Terms of Service for the API. This MUST be in the form of a URI. | | contact | [Contact Object](#contact-object) | The contact information for the exposed API. | | license | [License Object](#license-object) | The license information for the exposed API. | -| version | `string` | **REQUIRED**. The version of the OpenAPI Document (which is distinct from the [OpenAPI Specification version](#oas-version) or the version of the API being described or the version of the OpenAPI Description). | +| version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oas-version) or the version of the API being described or the version of the OpenAPI Description). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -269,12 +279,12 @@ API endpoints are by definition accessed as locations, and are described by this Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Because the API is a distinct entity from the OpenAPI Document, RFC3986's base URI rules for the OpenAPI Document do not apply. +Because the API is a distinct entity from the OpenAPI document, RFC3986's base URI rules for the OpenAPI document do not apply. Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. ##### Examples of API Base URL Determination -Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI Document: +Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI document: ```yaml openapi: 3.2.0 @@ -289,7 +299,7 @@ servers: description: The test API on this device ``` -For API URLs the `$self` field, which identifies the OpenAPI Document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. +For API URLs the `$self` field, which identifies the OpenAPI document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. #### Server Object Example @@ -4677,7 +4687,7 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor #### Security Requirement Object Examples -See also [Implicit Connection Resolution Examples](#implicit-connection-resolution-examples) in [Appendix G](#appendix-g-parsing-and-resolution-guidance) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. +See also [Implicit Connection Resolution Examples](#implicit-connection-resolution-examples) in [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. ##### Non-OAuth2 Security Requirement @@ -5212,7 +5222,7 @@ This section shows each of the four possible sources of base URIs, followed by a ### Base URI Within Content A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. -For OpenAPI Documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: +For OpenAPI documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: Assume the retrieval URI of the following document is `file://home/someone/src/api/openapi.yaml`: @@ -5267,15 +5277,15 @@ That Schema Object has a subschema with `$ref: bar`, which is resolved against t To guarantee interoperability, Schema Objects containing an `$id`, or that are under a schema containing an `$id`, MUST be referenced by the nearest such `$id` for the non-fragment part of the reference. As the JSON Schema specification notes, using a base URI other than the nearest `$id` and crossing that `$id` with a JSON Pointer fragment [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). -Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using _only_ a JSON Pointer fragment, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI Document's base URI from `$self`. +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using _only_ a JSON Pointer fragment, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI document's base URI from `$self`. ### Base URI From Encapsulating Entity If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). -This is common for Schema Objects encapsulated within an OpenAPI Document. -An example of an OpenAPI Document itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. -Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Document is not a requirement of this specification. +This is common for Schema Objects encapsulated within an OpenAPI document. +An example of an OpenAPI Object itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. +Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Object is not a requirement of this specification. RFC2557 was written to allow sending hyperlinked sets of documents as email attachments, in which case there would not be a retrieval URI for the multipart attachment (although the format could also be used in HTTP as well). @@ -5325,7 +5335,7 @@ Content-Location: https://example.com/api/docs.html ``` In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. -Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI Document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. +Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which according to RFC2557 allows the reference target to be located within the multipart archive. Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. @@ -5363,12 +5373,12 @@ Assume this document was retrieved from `https://example.com/api/schemas/foo`: } ``` -Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI Document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. +Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. ### Application-Specific Default Base URI -When constructing an OpenAPI Document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). -While this sort of internal resolution an be performed in practice without choosing a base URI, choosing one, such as a URN with a randomly generated UUID (e.g. `urn:uuid:f26cdaad-3193-4398-a838-4ecb7326c4c5`) avoids the need to implement it as a special case. +When constructing an OpenAPI document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). +While this sort of internal resolution can be performed in practice without choosing a base URI, choosing one, such as a URN with a randomly generated UUID (e.g. `urn:uuid:f26cdaad-3193-4398-a838-4ecb7326c4c5`) avoids the need to implement it as a special case. ### Resolving Relative `$self` and `$id` @@ -5427,6 +5437,9 @@ Implementations MAY support complete-document parsing in any of the following wa * Detecting OpenAPI or JSON Schema documents using media types * Detecting OpenAPI documents through the root `openapi` field * Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification + +Additional mechanisms can be used to support documents with Objects other than an OpenAPI Object or a Schema Object at the root, but note that the resulting behavior is implementation-defined: + * Detecting a document containing a referenceable Object at its root based on the expected type of the reference * Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object @@ -5434,7 +5447,7 @@ Implementations MAY support complete-document parsing in any of the following wa Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. -While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1 and later, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. @@ -5444,13 +5457,15 @@ This specification does not explicitly enumerate the conditions under which such JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: * As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object -* As the Object type implied by its parent Object within the document +* As the Object type implied by its parent Object's field within the document * As a reference target, with the Object type matching the reference source's context If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. ### Guidance Regarding Implicit Connections +The following Objects and Fields involve the use of implicit connections: + | Source | Target | Alternative | | ---- | ---- | ---- | | [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | @@ -5458,11 +5473,8 @@ If the same JSON/YAML object is parsed multiple times and the respective context | [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | | [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | -A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. -This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. - -It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. -This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. +An additional implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. +This connection is unambiguous because only the entry document's Paths Object contributes URLs to the described API. The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. @@ -5470,18 +5482,17 @@ The implicit connection of `tags` in the Operation Object uses the `name` field This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. -This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. +Resolving component and tag name connections from a referenced (non-entry) document to the entry document as recommended under [Resolving Implicit Connections](#resolving-implicit-connections) allows components and Tag Objects to be defined next to the API's deployment information in the top-level array of Server Objects and treated as an interface for referenced documents to access. -The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. +For Security Requirement Objects and Discriminator Objects, it is also possible to keep the resolution within the referenced document by using the URI-reference form that these Objects offer. There are no URI-based alternatives for the Operation Object's `tags` field. OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. -The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. - #### Implicit Connection Resolution Examples -This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. See [Resolving Implicit Connections](#resolving-implicit-connections) for more information. +This section shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: @@ -5573,4 +5584,4 @@ components: - MySecurity: [] ``` -In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. +In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior), but the section formally recommends that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. From 4c6fcd2705371787cd1480a77868544e25efebfd Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 8 Sep 2025 08:31:33 -0700 Subject: [PATCH 306/342] Fix spelling Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 09985b6de3..0a6cf1d2de 100644 --- a/src/oas.md +++ b/src/oas.md @@ -114,7 +114,7 @@ Implementations MAY choose to support referencing by other URIs such as the retr #### OpenAPI Description Structure An **OpenAPI Description** (**OAD**) formally describes the surface of an API and its semantics. -An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by varoius fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving implicit connections). +An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by various fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving implicit connections). In order for parsing behavior to be well-defined, all documents in an OAD MUST have either an OpenAPI Object or a Schema Object at the root, and MUST be parsed as complete documents, as described in the next section. From 33c67196cf736cf07042886a106becbd102dff6f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 8 Sep 2025 08:37:54 -0700 Subject: [PATCH 307/342] Fix openapi field's description of version field --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 0a6cf1d2de..6769de60bf 100644 --- a/src/oas.md +++ b/src/oas.md @@ -94,7 +94,7 @@ In addition to the required fields, at least one of the `components`, `paths`, o | Field Name | Type | Description | | ---- | :----: | ---- | -| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the API [`info.version`](#info-version) string. | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the [`info.version`](#info-version) string, which describes the OpenAPI document's version. | | $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | From b1eedf2b2ee915d12a863b60f5fc7cd2523e8ed4 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 8 Sep 2025 09:46:34 -0700 Subject: [PATCH 308/342] Wording feedback --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 6769de60bf..f7b626d28c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -129,8 +129,9 @@ It is the responsibility of an embedding format to define how to parse embedded ##### Parsing Documents -Each document in an OAD MUST be fully parsed in order to locate possible reference targets, including the OpenAPI Object's [`$self`](#oas-self) field and the [Schema Object's](#schema-object) `$id`, `$anchor`, and `$dynamicAnchor` keywords. +Each document in an OAD MUST be fully parsed in order to locate possible reference targets. This includes the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). +Reference targets are defined by fields including the OpenAPI Object's [`$self`](#oas-self) field and the [Schema Object's](#schema-object) `$id`, `$anchor`, and `$dynamicAnchor` keywords. Implementations MUST NOT treat a reference as unresolvable before completely parsing all documents provided to the implementation as possible parts of the OAD. From 7926ee25284bd7d408057f850c843f58a111b4f5 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 14:12:03 +0200 Subject: [PATCH 309/342] fix broken link --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..f98be1d7c4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -114,7 +114,7 @@ Implementations MAY choose to support referencing by other URIs such as the retr #### OpenAPI Description Structure An **OpenAPI Description** (**OAD**) formally describes the surface of an API and its semantics. -An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by various fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving implicit connections). +An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by various fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving-implicit-connections). In order for parsing behavior to be well-defined, all documents in an OAD MUST have either an OpenAPI Object or a Schema Object at the root, and MUST be parsed as complete documents, as described in the next section. From 319871b97ae19b6d70b231804098bdd8f21b8165 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 14:18:04 +0200 Subject: [PATCH 310/342] Consistent dashing for case sensitive We used both flavors, with and without dash. --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..18ed4a9f12 100644 --- a/src/oas.md +++ b/src/oas.md @@ -64,7 +64,7 @@ OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. ### Case Sensitivity -As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +As most field names and values in the OpenAPI Specification are case sensitive, this document endeavors to call out any case-insensitive names and values. However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. ### Rich Text Formatting @@ -677,7 +677,7 @@ Describes a single API operation on a path. | summary | `string` | A short summary of what the operation does. | | description | `string` | A verbose explanation of the operation behavior. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this operation. | -| operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | +| operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for this operation. If a parameter is already defined at the [Path Item](#path-item-parameters), the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | | requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP specification [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3) has explicitly defined semantics for request bodies. In other cases where the HTTP spec discourages message content (such as [GET](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1) and [DELETE](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | | responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. | @@ -2635,7 +2635,7 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC8259](https://tools.ietf.org/html/rfc8259#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). -The `name` identifier is case-sensitive, whereas `token` is not. +The `name` identifier is case sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: @@ -4559,7 +4559,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | description | `string` | Any | A description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used. | | in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"`, or `"cookie"`. | -| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | +| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | From 07f11cbe8e4792ff7cd54802e841455567e47ef7 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 14:31:21 +0200 Subject: [PATCH 311/342] Typo --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..a13bd547d5 100644 --- a/src/oas.md +++ b/src/oas.md @@ -142,7 +142,7 @@ If only the referenced part of the document is parsed when resolving a reference URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**, in contrast with [API URLs](#relative-references-in-api-urls). Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. -As noted under [Parsing Documents](#parsing-documents), several fields can be used to associate an OpenAPI document or a Schema Object with a URI, which might not match the document or schema's location. +As noted under [Parsing Documents](#parsing-documents), several fields can be used to associate an OpenAPI document or a Schema Object with a URI, which might not match the document's or schema's location. This allows the same references to be used in different deployment environments, including local filesystems or networks restricted by security policies or connectivity limitations. Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [[RFC3986]] [Section 4.2](https://tools.ietf.org/html/rfc3986#section-4.2). From c1076ff73254b35c9a8cad29067c1e2c7912a2bf Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 14:38:30 +0200 Subject: [PATCH 312/342] Consistent dashes in URI reference --- src/oas.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..707d5cabf2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -95,7 +95,7 @@ In addition to the required fields, at least one of the `components`, `paths`, o | Field Name | Type | Description | | ---- | :----: | ---- | | openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the [`info.version`](#info-version) string, which describes the OpenAPI document's version. | -| $self | `string` | This string MUST be in the form of a URI-reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | +| $self | `string` | This string MUST be in the form of a URI reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be an array consisting of a single [Server Object](#server-object) with a [url](#server-url) value of `/`. | @@ -151,7 +151,7 @@ Unless specified otherwise, all fields that are URIs MAY be relative references Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix F: Examples of Base URI Determination and Reference Resolution](#appendix-f-examples-of-base-uri-determination-and-reference-resolution). -If `$self` is a relative URI-reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI-references. +If `$self` is a relative URI reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI references. The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. @@ -2578,10 +2578,10 @@ solely by the existence of a relationship. ##### `operationRef` Examples -As the `operationId` is an optional field in an [Operation Object](#operation-object), references MAY instead be made through a URI-reference with `operationRef`. +As the `operationId` is an optional field in an [Operation Object](#operation-object), references MAY instead be made through a URI reference with `operationRef`. Note that both of these examples reference operations that can be identified via the [Paths Object](#paths-object) to ensure that the operation's path template is unambiguous. -A relative URI-reference `operationRef`: +A relative URI reference `operationRef`: ```yaml links: @@ -5383,7 +5383,7 @@ While this sort of internal resolution can be performed in practice without choo ### Resolving Relative `$self` and `$id` -Let's re-consider the first example in this appendix, but with relative URI-references for `$self` and `$id`, and retrieval URIs that support that relative usage: +Let's re-consider the first example in this appendix, but with relative URI references for `$self` and `$id`, and retrieval URIs that support that relative usage: Assume that the following is retrieved from `https://staging.example.com/api/openapi`: @@ -5427,7 +5427,7 @@ components: type: string ``` -In this example, all of the `$self` and `$id` values are relative URI-references consisting of an absolute path. +In this example, all of the `$self` and `$id` values are relative URI references consisting of an absolute path. This allows the retrieval URI to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). From 31eef03f3e8d0e63c9d6e15aae965a37435ec685 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 14:45:19 +0200 Subject: [PATCH 313/342] Consistent use of "JSON Pointer" --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..5f145ec2c8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -160,7 +160,7 @@ Therefore, all implementations SHOULD allow users to provide documents with thei ###### Resolving URI fragments -If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). +If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). ###### Relative URI References in CommonMark Fields From 27432d7310a6bf19950e6bc0f062231556b59e4a Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 15:21:29 +0200 Subject: [PATCH 314/342] Remove unnecessary sentence --- src/oas.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..e2c7797842 100644 --- a/src/oas.md +++ b/src/oas.md @@ -893,8 +893,6 @@ For headers, the header name MUST NOT be included as part of the serialization, However, names produced by `style: "simple", explode: "true"` are included as they appear within the header value, not as separate headers. See the [Header Object](#header-object) for special rules for showing examples of the `Set-Cookie` response header, which violates the normal rules for multiple header values. -The following section illustrates these rules. - #### Style Examples Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: From af2c85d74215610f83f0c8b3f0d250f9b38eb7ea Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 15:42:59 +0200 Subject: [PATCH 315/342] Consistent formatting --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..1c53dc88e4 100644 --- a/src/oas.md +++ b/src/oas.md @@ -910,7 +910,7 @@ The following table shows serialized examples, as would be shown with the `seria * The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field. * The behavior of combinations marked _n/a_ is undefined. * The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. -* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters. +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and `cookie` parameters. * The examples are percent-encoded as explained in the [URL Percent-Encoding](#url-percent-encoding) section above; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | From 46366ec1e2a8318cdb6415b5b8bff021055239dd Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 15:54:32 +0200 Subject: [PATCH 316/342] Add informative reference to JSONPath --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..c6e96645dd 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1174,7 +1174,7 @@ Assuming a path of `/foo`, a server of `https://example.com`, the full URL incor https://example.com/foo?%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D ``` -A querystring parameter that uses JSONPath. +A querystring parameter that uses [[?RFC9535|JSONPath]]. Note that in this example we not only do not repeat `dataValue`, but we use the shorthand `example` because the `application/jsonpath` value is a string that, at the media type level, is serialized as-is: ```yaml From 628f1e8c2f19e4521d7d6d74c1b16c1ab05752f8 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 16:16:53 +0200 Subject: [PATCH 317/342] Informative reference to HTML Standard --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..b1afd8091e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1338,7 +1338,7 @@ Some users of `text/event-stream` use a format such as JSON for field values, pa Use JSON Schema's keywords for working with the [contents of string-encoded data](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-a-vocabulary-for-the-conten), particularly `contentMediaType` and `contentSchema`, to describe and validate such fields with more detail than string-related validation keywords such as `pattern` can support. Note that `contentSchema` is [not automatically validated by default](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-implementation-requirements-2) (see also the [Non-validating constraint keywords](#non-validating-constraint-keywords) section of this specification). -The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the HTML specification as of the time of this writing: +The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the [[?HTML]] specification as of the time of this writing: ```yaml type: object From 7cc727afd2268f42067c8fa7a91c9efbafe02945 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 16:20:03 +0200 Subject: [PATCH 318/342] Misspelled anchor --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..799d3f87f9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1358,7 +1358,7 @@ properties: #### Encoding Usage and Restrictions -These encoding fields define how to map each [Encoding Object](#encoding object) to a specific value in the data. +These encoding fields define how to map each [Encoding Object](#encoding-object) to a specific value in the data. Each field has its own set of media types with which it can be used; for all other media types all three fields SHALL be ignored. ##### Encoding By Name From 7244caa4ab4be8099461ae93c02609659972c8f6 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 16:31:59 +0200 Subject: [PATCH 319/342] Use current section header as link text --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..0f9a128681 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1571,7 +1571,7 @@ Our `application/json-seq` example has to be an external document because of the ##### Server-Sent Event Streams -For this example, assume that the generic event schema provided in the [Special Considerations for `text/event-stream` Content](#special-considerations-for-server-sent-events) section is available at `#/components/schemas/Event`: +For this example, assume that the generic event schema provided in the [Special Considerations for Server-Sent Events](#special-considerations-for-server-sent-events) section is available at `#/components/schemas/Event`: ```yaml description: A request body to add a stream of typed data. From 5d5d9a5bc8363b24a91d8311d50f931146e87b98 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 16:52:52 +0200 Subject: [PATCH 320/342] Remove irritating comma --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..6ed4c620df 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2331,7 +2331,7 @@ The various fields and types of examples are explained in more detail under [Wor | description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | dataValue | Any | An example of the data structure that MUST be valid according to the relevant [Schema Object](#schema-object). If this field is present, `value` MUST be absent. | | serializedValue | `string` | An example of the serialized form of the value, including encoding and escaping as described under [Validating Examples](#validating-examples). If `dataValue` is present, then this field SHOULD contain the serialization of the given data. Otherwise, it SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. This field SHOULD NOT be used if the serialization format is JSON, as the data form is easier to work with. If this field is present, `value`, and `externalValue` MUST be absent. | -| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue`, and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue` and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | | value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 942cf8c989263868b43cf33e4aa1dba61b25879e Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 12 Sep 2025 17:56:32 +0200 Subject: [PATCH 321/342] base uri: reference RFC3986 --- src/oas.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index f7b626d28c..9a3e168ae5 100644 --- a/src/oas.md +++ b/src/oas.md @@ -5222,7 +5222,7 @@ This section shows each of the four possible sources of base URIs, followed by a ### Base URI Within Content -A base URI within the resource's content (RFC3986 Section 5.1.1) is the highest-precedence source of a base URI. +A base URI within the resource's content ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.1)) is the highest-precedence source of a base URI. For OpenAPI documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: Assume the retrieval URI of the following document is `file://home/someone/src/api/openapi.yaml`: @@ -5282,7 +5282,7 @@ Note also that it is impossible for the reference at `#/components/schemas/Foo/p ### Base URI From Encapsulating Entity -If no base URI can be determined within the content, the next location to search is any encapsulating entity (RFC3986 Section 5.1.2). +If no base URI can be determined within the content, the next location to search is any encapsulating entity ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.2)). This is common for Schema Objects encapsulated within an OpenAPI document. An example of an OpenAPI Object itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. @@ -5343,7 +5343,7 @@ Similarly, the `url` field of the [External Documentation Object](#external-docu ### Base URI From the Retrieval URI -If no base URI is provided from either of the previous sources, the next source is the retrieval URI (RFC 3986 Section 5.1.3). +If no base URI is provided from either of the previous sources, the next source is the retrieval URI ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.3)). Assume this document was retrieved from `https://example.com/api/openapis.yaml`: @@ -5378,7 +5378,7 @@ Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI docum ### Application-Specific Default Base URI -When constructing an OpenAPI document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI (RFC3986 Section 5.1.4). +When constructing an OpenAPI document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.4)). While this sort of internal resolution can be performed in practice without choosing a base URI, choosing one, such as a URN with a randomly generated UUID (e.g. `urn:uuid:f26cdaad-3193-4398-a838-4ecb7326c4c5`) avoids the need to implement it as a special case. ### Resolving Relative `$self` and `$id` From 57c9da5f28566b808eaa758356bf4dfe86a8ab8d Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 15 Sep 2025 10:35:03 +0200 Subject: [PATCH 322/342] Switch to dashed variant everywhere --- src/oas.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/oas.md b/src/oas.md index 18ed4a9f12..e6954c609b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -46,8 +46,8 @@ Unlike undefined behavior, it is safe to rely on implementation-defined behavior An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. Examples in this specification will be shown in YAML for brevity. -All field names in the specification are **case sensitive**. -This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. +All field names in the specification are **case-sensitive**. +This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case-insensitive**. OAS [Objects](#objects-and-fields) expose two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. @@ -62,10 +62,10 @@ In order to preserve the ability to round-trip between YAML and JSON formats, YA The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. -### Case Sensitivity +### Case-Sensitivity -As most field names and values in the OpenAPI Specification are case sensitive, this document endeavors to call out any case-insensitive names and values. -However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. +As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +However, the case-sensitivity of field names and values that map directly to HTTP concepts follow the case-sensitivity rules of HTTP, even if this document does not make a note of every concept. ### Rich Text Formatting @@ -677,7 +677,7 @@ Describes a single API operation on a path. | summary | `string` | A short summary of what the operation does. | | description | `string` | A verbose explanation of the operation behavior. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this operation. | -| operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | +| operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for this operation. If a parameter is already defined at the [Path Item](#path-item-parameters), the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | | requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP specification [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3) has explicitly defined semantics for request bodies. In other cases where the HTTP spec discourages message content (such as [GET](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1) and [DELETE](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | | responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. | @@ -768,7 +768,7 @@ There are five possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. * query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation as an `in: "querystring"` parameter. * querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation as any `in: "query"` parameters. -* header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. +* header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case-insensitive. * cookie - Used to pass a specific cookie value to the API. #### Fixed Fields @@ -785,7 +785,7 @@ The `example` and `examples` fields are mutually exclusive; see [Working with Ex | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a single template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| +| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case-sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a single template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| | in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"querystring"`, `"header"`, `"path"` or `"cookie"`. | | description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | @@ -2159,7 +2159,7 @@ Describes a single response from an API operation, including design-time, static | ---- | :----: | ---- | | summary | `string` | A short summary of the meaning of the response. | | description | `string` | A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case-insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | | content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | @@ -2635,7 +2635,7 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC8259](https://tools.ietf.org/html/rfc8259#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). -The `name` identifier is case sensitive, whereas `token` is not. +The `name` identifier is case-sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: @@ -4559,7 +4559,7 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | description | `string` | Any | A description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used. | | in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"`, or `"cookie"`. | -| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | +| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | From 4e1877b2fa2bcd2bc66f44639db0fd30cb1e81e9 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Sun, 31 Aug 2025 16:00:23 -0700 Subject: [PATCH 323/342] pull out subschemas that do not need to be in an allOf --- src/schemas/validation/schema.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 0717e2632f..aad593c73b 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -539,14 +539,14 @@ $defs: $ref: '#/$defs/encoding' itemEncoding: $ref: '#/$defs/encoding' + dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false allOf: - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' - - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false unevaluatedProperties: false media-type-or-reference: @@ -592,14 +592,14 @@ $defs: $ref: '#/$defs/encoding' itemEncoding: $ref: '#/$defs/encoding' + dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false allOf: - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/styles-for-form' - - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false unevaluatedProperties: false responses: From 2773541eec70ee8d0a64832196f2bfb5508a1ffe Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Thu, 4 Sep 2025 17:50:30 -0700 Subject: [PATCH 324/342] remove redundant $ref: examples are allowed in "content" now too --- src/schemas/validation/schema.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index aad593c73b..97c703036d 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -783,7 +783,6 @@ $defs: allowReserved: default: false type: boolean - $ref: '#/$defs/examples' allOf: - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' From 3c675a81a8c2b0dd3a64bf8e3422cdc9d30916f5 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Sat, 6 Sep 2025 11:15:32 -0700 Subject: [PATCH 325/342] use non-capturing parentheses everywhere --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 97c703036d..4a96786465 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -204,7 +204,7 @@ $defs: additionalProperties: $ref: '#/$defs/media-type-or-reference' patternProperties: - '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': + '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected propertyNames: pattern: '^[a-zA-Z0-9._-]+$' From 9ac8910371dbfc30e74eda7d04c63e347a7e0247 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Fri, 12 Sep 2025 15:47:55 -0700 Subject: [PATCH 326/342] remove redundant "requires" - "in" is always required for "parameter" - "type" is required for "security-scheme" --- src/schemas/validation/schema.yaml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 4a96786465..2171b2b948 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -376,8 +376,6 @@ $defs: properties: in: const: query - required: - - in then: properties: allowEmptyValue: @@ -387,8 +385,6 @@ $defs: properties: in: const: querystring - required: - - in then: required: - content @@ -415,8 +411,6 @@ $defs: properties: in: const: path - required: - - in then: properties: style: @@ -435,8 +429,6 @@ $defs: properties: in: const: header - required: - - in then: properties: style: @@ -448,8 +440,6 @@ $defs: properties: in: const: query - required: - - in then: properties: style: @@ -465,8 +455,6 @@ $defs: properties: in: const: cookie - required: - - in then: properties: style: @@ -871,8 +859,6 @@ $defs: properties: type: const: apiKey - required: - - type then: properties: name: @@ -891,8 +877,6 @@ $defs: properties: type: const: http - required: - - type then: properties: scheme: @@ -921,8 +905,6 @@ $defs: properties: type: const: oauth2 - required: - - type then: properties: flows: @@ -938,8 +920,6 @@ $defs: properties: type: const: openIdConnect - required: - - type then: properties: openIdConnectUrl: From b5c43e5a78a31f80804047a395d11e0fe9f6039f Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Mon, 15 Sep 2025 21:25:12 +0200 Subject: [PATCH 327/342] case sensitivity (noun) without dashes --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index e6954c609b..9abbdba8fa 100644 --- a/src/oas.md +++ b/src/oas.md @@ -62,10 +62,10 @@ In order to preserve the ability to round-trip between YAML and JSON formats, YA The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. -### Case-Sensitivity +### Case Sensitivity As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. -However, the case-sensitivity of field names and values that map directly to HTTP concepts follow the case-sensitivity rules of HTTP, even if this document does not make a note of every concept. +However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. ### Rich Text Formatting From c4673bcdc536fc0bf28ce4320e9bd7e8aa0a788b Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Fri, 12 Sep 2025 16:56:07 -0700 Subject: [PATCH 328/342] whitespace --- tests/schema/fail/example-examples.yaml | 3 --- tests/schema/fail/invalid_schema_types.yaml | 1 - tests/schema/pass/example-object-examples.yaml | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml index eb91f13338..aa8227817d 100644 --- a/tests/schema/fail/example-examples.yaml +++ b/tests/schema/fail/example-examples.yaml @@ -15,6 +15,3 @@ components: examples: a mammalian example: dataValue: bear - - - diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml index ae51ad083e..b3aa50a6c8 100644 --- a/tests/schema/fail/invalid_schema_types.yaml +++ b/tests/schema/fail/invalid_schema_types.yaml @@ -10,4 +10,3 @@ components: invalid_null: null invalid_number: 0 invalid_array: [] - diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml index 5971028051..af8cc255f0 100644 --- a/tests/schema/pass/example-object-examples.yaml +++ b/tests/schema/pass/example-object-examples.yaml @@ -29,7 +29,7 @@ components: summary: This is a text example externalValue: https://foo.bar/examples/address-example.txt parameters: - with-example: + with-example: name: zipCode in: query schema: From c602ca697e2bb2a916e5ff6df16d187a6b6c5c0d Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Fri, 12 Sep 2025 16:11:19 -0700 Subject: [PATCH 329/342] remove confusing use of json within yaml --- tests/schema/pass/parameter-object-examples.yaml | 7 +++---- .../pass/schema-object-deprecated-example-keyword.yaml | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml index ab5a00e612..f85161f0e3 100644 --- a/tests/schema/pass/parameter-object-examples.yaml +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -62,7 +62,6 @@ paths: # Allow an arbitrary JSON object to keep # the example simple type: object - example: { - "numbers": [1, 2], - "flag": null - } \ No newline at end of file + example: + numbers: [1, 2] + flag: null diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml index 8a928c5a55..969e66f283 100644 --- a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml +++ b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml @@ -12,7 +12,6 @@ paths: # the example simple type: object # DEPRECATED: don't use example keyword inside Schema Object - example: { - "numbers": [1, 2], - "flag": null - } + example: + numbers: [1, 2] + flag: null From 33907e0ac69e735071a3389b3a7059e5a409c888 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:51:39 -0700 Subject: [PATCH 330/342] clarify other prohibited combinations of query+querystring That is, these are also prohibited: - "query" appearing in the path-item's parameters and "querystring" in the operation's parameters - "querystring" appearing in the path-item's parameters and "query" appearing in the operation's parameters --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index c5420f36d5..4398d588e1 100644 --- a/src/oas.md +++ b/src/oas.md @@ -766,8 +766,8 @@ See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detail There are five possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. -* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation as an `in: "querystring"` parameter. -* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation as any `in: "query"` parameters. +* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation (or in the operation's path-item) as an `in: "querystring"` parameter. +* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation (or in the operation's path-item) as any `in: "query"` parameters. * header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case insensitive. * cookie - Used to pass a specific cookie value to the API. From a3082cb4378101f5a4bdfb4a2ebe506d9c253bec Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:53:35 -0700 Subject: [PATCH 331/342] be explicit that this table shows ALL valid combinations --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 4398d588e1..cd5114e73b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -833,7 +833,7 @@ For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [E #### Style Values -In order to support common ways of serializing simple parameters, a set of `style` values are defined. +In order to support common ways of serializing simple parameters, a set of `style` values are defined. Combinations not represented in this table are not permitted. | `style` | [`type`](#data-types) | `in` | Comments | | ---- | ---- | ---- | ---- | From 8290d5586407bf0532423eb7699040fc90cc06ac Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:57:48 -0700 Subject: [PATCH 332/342] Markdown improvements for the Style Values table - Literal style names are now rendered in sans-serif as code - "primitive" is not rendered as code, as it refers to one of string, number, boolean or null, not a literal type name. --- src/oas.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/oas.md b/src/oas.md index cd5114e73b..60e2f7b8d2 100644 --- a/src/oas.md +++ b/src/oas.md @@ -837,14 +837,14 @@ In order to support common ways of serializing simple parameters, a set of `styl | `style` | [`type`](#data-types) | `in` | Comments | | ---- | ---- | ---- | ---- | -| matrix | `primitive`, `array`, `object` | `path` | Path-style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.7) | -| label | `primitive`, `array`, `object` | `path` | Label style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.5) | -| simple | `primitive`, `array`, `object` | `path`, `header` | Simple style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.2). This option replaces `collectionFormat` with a `csv` value from OpenAPI 2.0. | -| form | `primitive`, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | -| spaceDelimited | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | -| pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | -| deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | -| cookie | `primitive`, `array`, `object` | `cookie` | Analogous to `form`, but following [[RFC6265]] `Cookie` syntax rules, meaning that name-value pairs are separated by a semicolon followed by a single space (e.g. `n1=v1; n2=v2`), and no percent-encoding or other escaping is applied; data values that require any sort of escaping MUST be provided in escaped form. | +| `matrix` | primitive, `array`, `object` | `path` | Path-style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.7) | +| `label` | primitive, `array`, `object` | `path` | Label style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.5) | +| `simple` | primitive, `array`, `object` | `path`, `header` | Simple style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.2). This option replaces `collectionFormat` with a `csv` value from OpenAPI 2.0. | +| `form` | primitive, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | +| `spaceDelimited` | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | +| `pipeDelimited` | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | +| `deepObject` | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | +| `cookie` | primitive, `array`, `object` | `cookie` | Analogous to `form`, but following [[RFC6265]] `Cookie` syntax rules, meaning that name-value pairs are separated by a semicolon followed by a single space (e.g. `n1=v1; n2=v2`), and no percent-encoding or other escaping is applied; data values that require any sort of escaping MUST be provided in escaped form. | #### URL Percent-Encoding From 9adf47563a7d0b1e890894182fd4b59b70b40ea2 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 13:26:05 -0700 Subject: [PATCH 333/342] remove json markup in yaml examples of literal values This does not change the actual values of the examples, but it's more clear that this is literal data being modelled in the schema. --- src/oas.md | 152 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 85 insertions(+), 67 deletions(-) diff --git a/src/oas.md b/src/oas.md index 60e2f7b8d2..20b768ae74 100644 --- a/src/oas.md +++ b/src/oas.md @@ -956,7 +956,9 @@ schema: style: simple examples: Tokens: - dataValue: [12345678, 90099] + dataValue: + - 12345678 + - 90099 serializedValue: "12345678,90099" ``` @@ -982,10 +984,9 @@ examples: to "%2C" in the data, as it is forbidden in cookie values. However, the exclamation point (!) is legal in cookies, so it can be left unencoded. - dataValue: { - "greeting": "Hello%2C world!", - "code": 42 - } + dataValue: + greeting: Hello%2C world! + code: 42 serializedValue: "greeting=Hello%2C world!; code=42" ``` @@ -1004,7 +1005,7 @@ examples: pre-percent-encoded. This results in all non-URL-safe characters, rather than just the one non-cookie-safe character, getting percent-encoded. - dataValue: "Hello, world!" + dataValue: Hello, world! serializedValue: "greeting=Hello%2C%20world%21" ``` @@ -1044,7 +1045,9 @@ style: form explode: true examples: ObjectList: - dataValue: ["one thing", "another thing"] + dataValue: + - one thing + - another thing serializedValue: "thing=one%20thing&thing=another%20thing" ``` @@ -1060,10 +1063,9 @@ schema: style: form examples: Pagination: - dataValue: { - "page": 4, - "pageSize": 50 - } + dataValue: + page: 4 + pageSize: 50 serializeValue: page=4&pageSize=50 ``` @@ -1085,16 +1087,14 @@ content: long: type: number examples: - dataValue: { - "lat": 10, - "long": 60 - } + dataValue: + lat: 10 + long: 60 serializedValue: '{"lat":10,"long":60}' examples: - dataValue: { - "lat": 10, - "long": 60 - } + dataValue: + lat: 10 + long: 60 serializedValue: coordinates=%7B%22lat%22%3A10%2C%22long%22%3A60%7D ``` @@ -1152,17 +1152,19 @@ content: examples: TwoNoFlag: description: Serialize with minimized whitespace - dataValue: { - "numbers": [1, 2], - "flag": null - } + dataValue: + numbers: + - 1 + - 2 + flag: null serializedValue: '{"numbers":[1,2],"flag":null}' examples: TwoNoFlag: - dataValue: { - "numbers": [1, 2], - "flag": null - } + dataValue: + numbers: + - 1 + - 2 + flag: null serializedValue: "%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D" ``` @@ -2426,10 +2428,9 @@ content: examples: noRating: summary: A not-yet-rated work - dataValue: { - "author": "A. Writer", - "title": "The Newest Book" - } + dataValue: + author: A. Writer + title: The Newest Book withRating: summary: A work with an average rating of 4.5 stars dataValue: @@ -3912,7 +3913,7 @@ application/xml: examples: pets: dataValue: - animals: "dog, cat, hamster" + animals: dog, cat, hamster serializedValue: | dog, cat, hamster @@ -3935,7 +3936,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -3965,7 +3969,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4041,7 +4048,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4075,7 +4085,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4107,7 +4120,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4143,7 +4159,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4180,7 +4199,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4215,7 +4237,10 @@ application/xml: examples: pets: dataValue: - animals: [dog, cat, hamster] + animals: + - dog + - cat + - hamster externalValue: ./examples/pets.xml ``` @@ -4323,9 +4348,8 @@ paths: $ref: "#/components/schemas/Documentation" examples: stored: - dataValue: { - "content": "Awesome Docs" - } + dataValue: + content: Awesome Docs externalValue: ./examples/stored.xml put: requestBody: @@ -4339,9 +4363,8 @@ paths: $ref: "#/components/schemas/Documentation" examples: updated: - dataValue: { - "content": "Awesome Docs" - } + dataValue: + content: Awesome Docs externalValue: ./examples/updated.xml responses: "201": {} @@ -4418,12 +4441,10 @@ application/xml: - "null" examples: OneTwoThree: - dataValue: [ - "Some text", - { - "unit": "cubits" - "value": 42 - }, + dataValue: + - Some text + - unit: cubits + value: 42 null ] externalValue: ./examples/OneTwoThree.xml @@ -4460,11 +4481,10 @@ application/xml: type: string examples: Report: - dataValue: [ - "Some preamble text.", - 42, - "Some postamble text." - ] + dataValue: + - Some preamble text. + - 42 + - Some postamble text. externalValue: ./examples/Report.xml ``` @@ -4509,18 +4529,16 @@ application/xml: - "null" examples: productWithNulls: - dataValue: { - "count": null, - "description": "Thing", - "related": null - } + dataValue: + count: null + description: Thing + related: null externalValue: ./examples/productWithNulls.xml productNoNulls: - dataValue: { - "count": 42, - "description: "Thing" - "related": {} - } + dataValue: + count: 42 + description: Thing + related: {} externalValue: ./examples/productNoNulls.xml ``` From 14528c99a90a45be70e5c12aa957ae14594e1b62 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Sun, 31 Aug 2025 16:07:00 -0700 Subject: [PATCH 334/342] query and querystring are mutually exclusive; disallow more than one querystring --- src/schemas/validation/schema.yaml | 38 ++++++++++++++++--- ...eration-object-query-with-querystring.yaml | 20 ++++++++++ .../operation-object-two-querystrings.yaml | 20 ++++++++++ ...th-item-object-query-with-querystring.yaml | 19 ++++++++++ .../path-item-object-two-querystrings.yaml | 20 ++++++++++ 5 files changed, 111 insertions(+), 6 deletions(-) create mode 100644 tests/schema/fail/operation-object-query-with-querystring.yaml create mode 100644 tests/schema/fail/operation-object-two-querystrings.yaml create mode 100644 tests/schema/fail/path-item-object-query-with-querystring.yaml create mode 100644 tests/schema/fail/path-item-object-two-querystrings.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 2171b2b948..4438182897 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -236,9 +236,7 @@ $defs: items: $ref: '#/$defs/server' parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' + $ref: '#/$defs/parameters' additionalOperations: type: object additionalProperties: @@ -295,9 +293,7 @@ $defs: operationId: type: string parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' + $ref: '#/$defs/parameters' requestBody: $ref: '#/$defs/request-body-or-reference' responses: @@ -334,6 +330,36 @@ $defs: $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + parameters: + type: array + items: + $ref: '#/$defs/parameter-or-reference' + not: + allOf: + - contains: + type: object + properties: + in: + const: query + required: + - in + - contains: + type: object + properties: + in: + const: querystring + required: + - in + contains: + type: object + properties: + in: + const: querystring + required: + - in + minContains: 0 + maxContains: 1 + parameter: $comment: https://spec.openapis.org/oas/v3.2#parameter-object type: object diff --git a/tests/schema/fail/operation-object-query-with-querystring.yaml b/tests/schema/fail/operation-object-query-with-querystring.yaml new file mode 100644 index 0000000000..5046d9c73c --- /dev/null +++ b/tests/schema/fail/operation-object-query-with-querystring.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + get: + description: a query parameter cannot be used together with a querystring parameter + parameters: + - name: myquerystring + in: querystring + content: + application/json: + schema: + type: string + - name: myquery + in: query + schema: + type: string diff --git a/tests/schema/fail/operation-object-two-querystrings.yaml b/tests/schema/fail/operation-object-two-querystrings.yaml new file mode 100644 index 0000000000..35cebf0a3c --- /dev/null +++ b/tests/schema/fail/operation-object-two-querystrings.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + get: + description: querystring cannot be used twice + parameters: + - name: myquerystring1 + in: querystring + content: + application/json: + schema: {} + - name: myquerystring2 + in: querystring + content: + application/json: + schema: {} diff --git a/tests/schema/fail/path-item-object-query-with-querystring.yaml b/tests/schema/fail/path-item-object-query-with-querystring.yaml new file mode 100644 index 0000000000..6efbda4468 --- /dev/null +++ b/tests/schema/fail/path-item-object-query-with-querystring.yaml @@ -0,0 +1,19 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + parameters: + - name: myquerystring + in: querystring + content: + application/json: + schema: + type: string + - name: myquery + in: query + schema: + type: string + get: {} diff --git a/tests/schema/fail/path-item-object-two-querystrings.yaml b/tests/schema/fail/path-item-object-two-querystrings.yaml new file mode 100644 index 0000000000..daf5caa494 --- /dev/null +++ b/tests/schema/fail/path-item-object-two-querystrings.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + description: querystring cannot be used twice + parameters: + - name: myquerystring1 + in: querystring + content: + application/json: + schema: {} + - name: myquerystring2 + in: querystring + content: + application/json: + schema: {} + get: {} From 21010ce82e341bb44a7acd6722d50155aa8c66f3 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Fri, 12 Sep 2025 16:13:45 -0700 Subject: [PATCH 335/342] allow the use of in: cookie, style: cookie --- src/schemas/validation/schema.yaml | 4 +++- tests/schema/pass/parameter-object-examples.yaml | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 4438182897..e8ac6071cd 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -485,7 +485,9 @@ $defs: properties: style: default: form - const: form + enum: + - form + - cookie unevaluatedProperties: false diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml index f85161f0e3..8a3db655ba 100644 --- a/tests/schema/pass/parameter-object-examples.yaml +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -52,6 +52,14 @@ paths: type: number long: type: number + - in: cookie + name: my_cookie1 + style: form + schema: {} + - in: cookie + name: my_cookie2 + style: cookie + schema: {} /user: parameters: - in: querystring From 2463bd0420c4d273d48a62b30a1609880d762df9 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Fri, 12 Sep 2025 17:32:49 -0700 Subject: [PATCH 336/342] style and allowReserved defaults are only in effect when any of style, explode, allowReserved are present see #4899 --- src/schemas/validation/schema.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index e8ac6071cd..05e5704fe1 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -587,7 +587,6 @@ $defs: additionalProperties: $ref: '#/$defs/header-or-reference' style: - default: form enum: - form - spaceDelimited @@ -596,7 +595,6 @@ $defs: explode: type: boolean allowReserved: - default: false type: boolean encoding: type: object @@ -613,6 +611,20 @@ $defs: properties: prefixEncoding: false itemEncoding: false + style: + properties: + allowReserved: + default: false + explode: + properties: + style: + default: form + allowReserved: + default: false + allowReserved: + properties: + style: + default: form allOf: - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/styles-for-form' From 466b72318c6c5e9832853bfc77d566d80d38be0a Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Tue, 16 Sep 2025 11:32:05 -0700 Subject: [PATCH 337/342] fix character terminology in ABNF comments UTF-8 is not a character set; it is an encoding. The character set we are using is Unicode (the full range of integers from \x00 to \x10FFFF), so revert to using the correct terminology. ref.: https://www.rfc-editor.org/rfc/rfc6570#section-2.1 uses "any Unicode character except..." --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9fedf74779..b3d68d68de 100644 --- a/src/oas.md +++ b/src/oas.md @@ -358,7 +358,7 @@ The server URL templating is defined by the following [ABNF](https://tools.ietf. ```abnf server-url-template = 1*( literals / server-variable ) server-variable = "{" server-variable-name "}" -server-variable-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +server-variable-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every Unicode character except { and } literals = 1*( %x21 / %x23-24 / %x26-3B / %x3D / %x3F-5B / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate @@ -528,7 +528,7 @@ path-template = "/" *( path-segment "/" ) [ path-segment ] path-segment = 1*( path-literal / template-expression ) path-literal = 1*pchar template-expression = "{" template-expression-param-name "}" -template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every UTF8 character except { and } +template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every Unicode character except { and } pchar = unreserved / pct-encoded / sub-delims / ":" / "@" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" From 277431219abdce3c940db4d1449e3a6d7449f237 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Wed, 17 Sep 2025 19:36:24 -0700 Subject: [PATCH 338/342] these two xml properties are now deprecated; harmonize spec language --- src/oas.md | 4 ++-- src/schemas/validation/meta.yaml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 9fedf74779..b482d5afcc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3819,8 +3819,8 @@ When using a Schema Object with XML, if no XML Object is present, the behavior i | name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing the name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | | namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | -| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "attribute"` in place of `attribute: true` | -| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Set `nodeType: "element"` explicitly in place of `wrapped: true` | +| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "attribute"` instead of `attribute: true` | +| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "element"` instead of `wrapped: true` | Note that when generating an XML document from object data, the order of the nodes is undefined. Use `prefixItems` to control node ordering as shown under [Ordered Elements and Text](#ordered-elements-and-text). diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 0472fd5b27..8271a685fb 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -74,8 +74,10 @@ $defs: type: string attribute: type: boolean + deprecated: true wrapped: type: boolean + deprecated: true type: object dependentSchemas: nodeType: From ec81bb821b075983fa2d55ee044ba4698155fee3 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Wed, 17 Sep 2025 19:45:58 -0700 Subject: [PATCH 339/342] the "example" keyword is now deprecated --- src/schemas/validation/meta.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 8271a685fb..bbd40a1897 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -15,7 +15,8 @@ type: properties: discriminator: $ref: '#/$defs/discriminator' - example: true + example: + deprecated: true externalDocs: $ref: '#/$defs/external-docs' xml: From c2b1114ba5ae5806d24290092d85cf5187a51fb7 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Wed, 17 Sep 2025 20:02:45 -0700 Subject: [PATCH 340/342] "propertyName" is no longer required --- src/schemas/validation/meta.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index bbd40a1897..ca512c4353 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -34,8 +34,6 @@ $defs: type: string propertyName: type: string - required: - - propertyName type: object unevaluatedProperties: false From 2c162bfc557ba10d3c9b22bbca0b86d286f12f04 Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Thu, 18 Sep 2025 17:54:48 +0100 Subject: [PATCH 341/342] Adjust the branch for release of 3.2 --- src/schemas/validation/README.md | 69 - src/schemas/validation/dialect.yaml | 21 - src/schemas/validation/meta.yaml | 86 -- src/schemas/validation/schema-base.yaml | 20 - src/schemas/validation/schema.yaml | 1135 ----------------- .../fail/encoding-enc-item-exclusion.yaml | 13 - .../fail/encoding-enc-prefix-exclusion.yaml | 13 - tests/schema/fail/example-examples.yaml | 17 - .../fail/example-object-old-exclusions.yaml | 10 - .../fail/example-object-old-vs-data.yaml | 10 - .../fail/example-object-old-vs-ser.yaml | 10 - .../fail/example-object-ser-exclusions.yaml | 10 - tests/schema/fail/invalid_schema_types.yaml | 12 - .../fail/media-type-enc-item-exclusion.yaml | 11 - .../fail/media-type-enc-prefix-exclusion.yaml | 11 - tests/schema/fail/no_containers.yaml | 7 - ...eration-object-query-with-querystring.yaml | 20 - .../operation-object-two-querystrings.yaml | 20 - ...rameter-object-content-not-with-style.yaml | 14 - ...er-object-querystring-not-with-schema.yaml | 11 - ...ject-conflicting-additional-operation.yaml | 64 - ...th-item-object-query-with-querystring.yaml | 19 - .../path-item-object-two-querystrings.yaml | 20 - tests/schema/fail/server_enum_empty.yaml | 14 - tests/schema/fail/servers.yaml | 11 - tests/schema/fail/unknown_container.yaml | 8 - tests/schema/fail/xml-attr-exclusion.yaml | 11 - tests/schema/fail/xml-wrapped-exclusion.yaml | 11 - .../schema/pass/callback-object-examples.yaml | 30 - tests/schema/pass/comp_pathitems.yaml | 6 - .../pass/components-object-example.yaml | 71 -- .../schema/pass/example-object-examples.yaml | 64 - tests/schema/pass/header-object-examples.yaml | 26 - tests/schema/pass/info-object-example.yaml | 20 - tests/schema/pass/info_summary.yaml | 6 - tests/schema/pass/json_schema_dialect.yaml | 15 - tests/schema/pass/license_identifier.yaml | 9 - tests/schema/pass/link-object-examples.yaml | 66 - tests/schema/pass/media-type-examples.yaml | 173 --- tests/schema/pass/mega.yaml | 62 - tests/schema/pass/minimal_comp.yaml | 5 - tests/schema/pass/minimal_hooks.yaml | 5 - tests/schema/pass/minimal_paths.yaml | 5 - tests/schema/pass/non-oauth-scopes.yaml | 19 - .../schema/pass/operation-object-example.yaml | 47 - .../pass/parameter-object-examples.yaml | 75 -- .../schema/pass/path-item-object-example.yaml | 74 -- .../pass/path_item_servers_parameters.yaml | 112 -- tests/schema/pass/path_no_response.yaml | 7 - .../schema/pass/path_var_empty_pathitem.yaml | 6 - tests/schema/pass/paths-object-example.yaml | 17 - tests/schema/pass/request-body-examples.yaml | 34 - .../schema/pass/response-object-examples.yaml | 43 - ...ema-object-deprecated-example-keyword.yaml | 17 - tests/schema/pass/schema.yaml | 55 - .../pass/security-scheme-object-examples.yaml | 69 - tests/schema/pass/servers.yaml | 26 - .../schema/pass/specification-extensions.yaml | 6 - tests/schema/pass/tag-object-example.yaml | 25 - tests/schema/pass/valid_schema_types.yaml | 14 - tests/schema/pass/webhook-example.yaml | 35 - tests/schema/schema.test.mjs | 56 - versions/3.2.0-editors.md | 22 + src/oas.md => versions/3.2.0.md | 0 64 files changed, 22 insertions(+), 2978 deletions(-) delete mode 100644 src/schemas/validation/README.md delete mode 100644 src/schemas/validation/dialect.yaml delete mode 100644 src/schemas/validation/meta.yaml delete mode 100644 src/schemas/validation/schema-base.yaml delete mode 100644 src/schemas/validation/schema.yaml delete mode 100644 tests/schema/fail/encoding-enc-item-exclusion.yaml delete mode 100644 tests/schema/fail/encoding-enc-prefix-exclusion.yaml delete mode 100644 tests/schema/fail/example-examples.yaml delete mode 100644 tests/schema/fail/example-object-old-exclusions.yaml delete mode 100644 tests/schema/fail/example-object-old-vs-data.yaml delete mode 100644 tests/schema/fail/example-object-old-vs-ser.yaml delete mode 100644 tests/schema/fail/example-object-ser-exclusions.yaml delete mode 100644 tests/schema/fail/invalid_schema_types.yaml delete mode 100644 tests/schema/fail/media-type-enc-item-exclusion.yaml delete mode 100644 tests/schema/fail/media-type-enc-prefix-exclusion.yaml delete mode 100644 tests/schema/fail/no_containers.yaml delete mode 100644 tests/schema/fail/operation-object-query-with-querystring.yaml delete mode 100644 tests/schema/fail/operation-object-two-querystrings.yaml delete mode 100644 tests/schema/fail/parameter-object-content-not-with-style.yaml delete mode 100644 tests/schema/fail/parameter-object-querystring-not-with-schema.yaml delete mode 100644 tests/schema/fail/path-item-object-conflicting-additional-operation.yaml delete mode 100644 tests/schema/fail/path-item-object-query-with-querystring.yaml delete mode 100644 tests/schema/fail/path-item-object-two-querystrings.yaml delete mode 100644 tests/schema/fail/server_enum_empty.yaml delete mode 100644 tests/schema/fail/servers.yaml delete mode 100644 tests/schema/fail/unknown_container.yaml delete mode 100644 tests/schema/fail/xml-attr-exclusion.yaml delete mode 100644 tests/schema/fail/xml-wrapped-exclusion.yaml delete mode 100644 tests/schema/pass/callback-object-examples.yaml delete mode 100644 tests/schema/pass/comp_pathitems.yaml delete mode 100644 tests/schema/pass/components-object-example.yaml delete mode 100644 tests/schema/pass/example-object-examples.yaml delete mode 100644 tests/schema/pass/header-object-examples.yaml delete mode 100644 tests/schema/pass/info-object-example.yaml delete mode 100644 tests/schema/pass/info_summary.yaml delete mode 100644 tests/schema/pass/json_schema_dialect.yaml delete mode 100644 tests/schema/pass/license_identifier.yaml delete mode 100644 tests/schema/pass/link-object-examples.yaml delete mode 100644 tests/schema/pass/media-type-examples.yaml delete mode 100644 tests/schema/pass/mega.yaml delete mode 100644 tests/schema/pass/minimal_comp.yaml delete mode 100644 tests/schema/pass/minimal_hooks.yaml delete mode 100644 tests/schema/pass/minimal_paths.yaml delete mode 100644 tests/schema/pass/non-oauth-scopes.yaml delete mode 100644 tests/schema/pass/operation-object-example.yaml delete mode 100644 tests/schema/pass/parameter-object-examples.yaml delete mode 100644 tests/schema/pass/path-item-object-example.yaml delete mode 100644 tests/schema/pass/path_item_servers_parameters.yaml delete mode 100644 tests/schema/pass/path_no_response.yaml delete mode 100644 tests/schema/pass/path_var_empty_pathitem.yaml delete mode 100644 tests/schema/pass/paths-object-example.yaml delete mode 100644 tests/schema/pass/request-body-examples.yaml delete mode 100644 tests/schema/pass/response-object-examples.yaml delete mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml delete mode 100644 tests/schema/pass/schema.yaml delete mode 100644 tests/schema/pass/security-scheme-object-examples.yaml delete mode 100644 tests/schema/pass/servers.yaml delete mode 100644 tests/schema/pass/specification-extensions.yaml delete mode 100644 tests/schema/pass/tag-object-example.yaml delete mode 100644 tests/schema/pass/valid_schema_types.yaml delete mode 100644 tests/schema/pass/webhook-example.yaml delete mode 100644 tests/schema/schema.test.mjs create mode 100644 versions/3.2.0-editors.md rename src/oas.md => versions/3.2.0.md (100%) diff --git a/src/schemas/validation/README.md b/src/schemas/validation/README.md deleted file mode 100644 index 57501dfc51..0000000000 --- a/src/schemas/validation/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenAPI 3.X.Y JSON Schema - -This directory contains the YAML sources for generating the JSON Schemas for validating OpenAPI definitions of versions 3.X.Y, which are published on [https://spec.openapis.org](https://spec.openapis.org). - -Due to limitations of GitHub pages, the schemas on the spec site are served with `Content-Type: application/octet-stream`, but should be interpreted as `application/schema+json`. - -The sources in this directory, which have `WORK-IN-PROGRESS` in their `$id`s, are _not intended for direct use_. - -## Schema `$id` dates - -The published schemas on the spec site have an _iteration date_ in their `id`s. -This allows the schemas for a release line to be updated independent of the spec patch release cycle. - -The iteration version of the JSON Schema can be found in the `$id` field. -For example, the value of `$id: https://spec.openapis.org/oas/3.1/schema/2021-03-02` means this iteration was created on March 2nd, 2021. - -We are [working on](https://github.com/OAI/OpenAPI-Specification/issues/4152) how to best provide programmatic access for determining the latest date for each schema. - -## Choosing which schema to use - -There are two schemas to choose from for versions 3.1 and greater, both of which have an `$id` that starts with `https://spec.openapis.org/oas/3.X/` and ends with the iteration date: - -* `https://spec.openapis.org/oas/3.X/schema/{date}`, source: `schema.yaml` — A self-contained schema that _does not_ validate Schema Objects beyond `type: [object, boolean]` -* `https://spec.openapis.org/oas/3.1/schema-base/{date}`, source: `schema-base.yaml` — A schema that combines the self-contained schema and the "base" dialect schema to validate Schema Objects with the dialect; this schema does not allow changing `$schema` or `jsonSchemaDialect` to other dialects - -Two metaschemas define the OAS "base" dialect: - -* `https://spec.openapis.org/oas/3.X/meta/{date}`, source: `meta.yaml` — The vocabulary metaschema for OAS 3.X's extensions to draft 2020-12 -* `https://spec.openapis.org/oas/3.X/dialect/{date}`, source: `dialect.yaml` — The dialect metaschema that extends the standard `draft/2020-12` metaschema by adding the OAS "base" vocabulary - -The name "base" for the dialect was intended to indicate that the OAS dialect could be further extended. - -~~~mermaid -flowchart LR - schema_base - schema - dialect - meta - schema --> |default| dialect - schema_base --> |$ref| schema - schema_base --> |$ref| dialect - dialect --> |$ref| meta -~~~ - -An additional schema that validates the Schema Object with the OAS 3.X dialect but does not restrict changing `$schema` is [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4147). - -## Improving the schemas - -As a reminder, the JSON Schema is not the source of truth for the Specification. In cases of conflicts between the Specification itself and the JSON Schema, the Specification wins. Also, some Specification constraints cannot be represented with the JSON Schema so it's highly recommended to employ other methods to ensure compliance. - -The schema only validates the mandatory aspects of the OAS. -Validating requirements that are optional, or field usage that has undefined or ignored behavior are not within the scope of this schema. -Schemas to perform additional optional validation are [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4141). - -Improvements can be submitted by opening a PR against the `vX.Y-dev` branch of the respective specification version. - -Modify the `schema.yaml` file and add test cases for your changes. - -The TSC will then: -- Run tests on the updated schema -- Update the iteration version -- Publish the new version - -The [test suite](../../../tests/schema) is part of this package. - -```bash -npm install -npm test -``` diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml deleted file mode 100644 index 1986c9e8f8..0000000000 --- a/src/schemas/validation/dialect.yaml +++ /dev/null @@ -1,21 +0,0 @@ -$id: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OpenAPI 3.2 Schema Object Dialect -description: A JSON Schema dialect describing schemas found in OpenAPI v3.2.x Descriptions - -$dynamicAnchor: meta - -$vocabulary: - https://json-schema.org/draft/2020-12/vocab/applicator: true - https://json-schema.org/draft/2020-12/vocab/content: true - https://json-schema.org/draft/2020-12/vocab/core: true - https://json-schema.org/draft/2020-12/vocab/format-annotation: true - https://json-schema.org/draft/2020-12/vocab/meta-data: true - https://json-schema.org/draft/2020-12/vocab/unevaluated: true - https://json-schema.org/draft/2020-12/vocab/validation: true - https://spec.openapis.org/oas/3.2/vocab/base: false - -allOf: - - $ref: https://json-schema.org/draft/2020-12/schema - - $ref: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml deleted file mode 100644 index ca512c4353..0000000000 --- a/src/schemas/validation/meta.yaml +++ /dev/null @@ -1,86 +0,0 @@ -$id: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OAS Base Vocabulary -description: A JSON Schema Vocabulary used in the OpenAPI JSON Schema Dialect - -$dynamicAnchor: meta - -$vocabulary: - https://spec.openapis.org/oas/3.2/vocab/base: true - -type: - - object - - boolean -properties: - discriminator: - $ref: '#/$defs/discriminator' - example: - deprecated: true - externalDocs: - $ref: '#/$defs/external-docs' - xml: - $ref: '#/$defs/xml' - -$defs: - discriminator: - $ref: '#/$defs/extensible' - properties: - mapping: - additionalProperties: - type: string - type: object - defaultMapping: - type: string - propertyName: - type: string - type: object - unevaluatedProperties: false - - extensible: - patternProperties: - ^x-: true - external-docs: - $ref: '#/$defs/extensible' - properties: - description: - type: string - url: - format: uri-reference - type: string - required: - - url - type: object - unevaluatedProperties: false - - xml: - $ref: '#/$defs/extensible' - properties: - nodeType: - type: string - enum: - - element - - attribute - - text - - cdata - - none - name: - type: string - namespace: - format: iri - type: string - prefix: - type: string - attribute: - type: boolean - deprecated: true - wrapped: - type: boolean - deprecated: true - type: object - dependentSchemas: - nodeType: - properties: - attribute: false - wrapped: false - unevaluatedProperties: false diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml deleted file mode 100644 index 195ae5ed43..0000000000 --- a/src/schemas/validation/schema-base.yaml +++ /dev/null @@ -1,20 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.2/schema-base/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.2.x Documents using the OpenAPI JSON Schema dialect - -$ref: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' -properties: - jsonSchemaDialect: - $ref: '#/$defs/dialect' - -$defs: - dialect: - const: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - - schema: - $dynamicAnchor: meta - $ref: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - properties: - $schema: - $ref: '#/$defs/dialect' diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml deleted file mode 100644 index 05e5704fe1..0000000000 --- a/src/schemas/validation/schema.yaml +++ /dev/null @@ -1,1135 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.2.x Documents without Schema Object validation - -type: object -properties: - openapi: - type: string - pattern: '^3\.2\.\d+(-.+)?$' - $self: - type: string - format: uri-reference - $comment: MUST NOT contain a fragment - pattern: '^[^#]*$' - info: - $ref: '#/$defs/info' - jsonSchemaDialect: - type: string - format: uri-reference - default: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - servers: - type: array - items: - $ref: '#/$defs/server' - default: - - url: / - paths: - $ref: '#/$defs/paths' - webhooks: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - components: - $ref: '#/$defs/components' - security: - type: array - items: - $ref: '#/$defs/security-requirement' - tags: - type: array - items: - $ref: '#/$defs/tag' - externalDocs: - $ref: '#/$defs/external-documentation' -required: - - openapi - - info -anyOf: - - required: - - paths - - required: - - components - - required: - - webhooks -$ref: '#/$defs/specification-extensions' -unevaluatedProperties: false - -$defs: - info: - $comment: https://spec.openapis.org/oas/v3.2#info-object - type: object - properties: - title: - type: string - summary: - type: string - description: - type: string - termsOfService: - type: string - format: uri-reference - contact: - $ref: '#/$defs/contact' - license: - $ref: '#/$defs/license' - version: - type: string - required: - - title - - version - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - contact: - $comment: https://spec.openapis.org/oas/v3.2#contact-object - type: object - properties: - name: - type: string - url: - type: string - format: uri-reference - email: - type: string - format: email - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - license: - $comment: https://spec.openapis.org/oas/v3.2#license-object - type: object - properties: - name: - type: string - identifier: - type: string - url: - type: string - format: uri-reference - required: - - name - dependentSchemas: - identifier: - not: - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server: - $comment: https://spec.openapis.org/oas/v3.2#server-object - type: object - properties: - url: - type: string - description: - type: string - name: - type: string - variables: - type: object - additionalProperties: - $ref: '#/$defs/server-variable' - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server-variable: - $comment: https://spec.openapis.org/oas/v3.2#server-variable-object - type: object - properties: - enum: - type: array - items: - type: string - minItems: 1 - default: - type: string - description: - type: string - required: - - default - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - components: - $comment: https://spec.openapis.org/oas/v3.2#components-object - type: object - properties: - schemas: - type: object - additionalProperties: - $dynamicRef: '#meta' - responses: - type: object - additionalProperties: - $ref: '#/$defs/response-or-reference' - parameters: - type: object - additionalProperties: - $ref: '#/$defs/parameter-or-reference' - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - requestBodies: - type: object - additionalProperties: - $ref: '#/$defs/request-body-or-reference' - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - securitySchemes: - type: object - additionalProperties: - $ref: '#/$defs/security-scheme-or-reference' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - pathItems: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - mediaTypes: - type: object - additionalProperties: - $ref: '#/$defs/media-type-or-reference' - patternProperties: - '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': - $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected - propertyNames: - pattern: '^[a-zA-Z0-9._-]+$' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - paths: - $comment: https://spec.openapis.org/oas/v3.2#paths-object - type: object - patternProperties: - '^/': - $ref: '#/$defs/path-item' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - path-item: - $comment: https://spec.openapis.org/oas/v3.2#path-item-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - servers: - type: array - items: - $ref: '#/$defs/server' - parameters: - $ref: '#/$defs/parameters' - additionalOperations: - type: object - additionalProperties: - $ref: '#/$defs/operation' - propertyNames: - $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" - not: - enum: - - GET - - PUT - - POST - - DELETE - - OPTIONS - - HEAD - - PATCH - - TRACE - - QUERY - get: - $ref: '#/$defs/operation' - put: - $ref: '#/$defs/operation' - post: - $ref: '#/$defs/operation' - delete: - $ref: '#/$defs/operation' - options: - $ref: '#/$defs/operation' - head: - $ref: '#/$defs/operation' - patch: - $ref: '#/$defs/operation' - trace: - $ref: '#/$defs/operation' - query: - $ref: '#/$defs/operation' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - operation: - $comment: https://spec.openapis.org/oas/v3.2#operation-object - type: object - properties: - tags: - type: array - items: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - operationId: - type: string - parameters: - $ref: '#/$defs/parameters' - requestBody: - $ref: '#/$defs/request-body-or-reference' - responses: - $ref: '#/$defs/responses' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - deprecated: - default: false - type: boolean - security: - type: array - items: - $ref: '#/$defs/security-requirement' - servers: - type: array - items: - $ref: '#/$defs/server' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - external-documentation: - $comment: https://spec.openapis.org/oas/v3.2#external-documentation-object - type: object - properties: - description: - type: string - url: - type: string - format: uri-reference - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - not: - allOf: - - contains: - type: object - properties: - in: - const: query - required: - - in - - contains: - type: object - properties: - in: - const: querystring - required: - - in - contains: - type: object - properties: - in: - const: querystring - required: - - in - minContains: 0 - maxContains: 1 - - parameter: - $comment: https://spec.openapis.org/oas/v3.2#parameter-object - type: object - properties: - name: - type: string - in: - enum: - - query - - querystring - - header - - path - - cookie - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - required: - - name - - in - oneOf: - - required: - - schema - - required: - - content - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - - if: - properties: - in: - const: query - then: - properties: - allowEmptyValue: - default: false - type: boolean - - if: - properties: - in: - const: querystring - then: - required: - - content - dependentSchemas: - schema: - properties: - style: - type: string - explode: - type: boolean - allowReserved: - default: false - type: boolean - allOf: - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-cookie' - - $ref: '#/$defs/styles-for-form' - - $defs: - styles-for-path: - if: - properties: - in: - const: path - then: - properties: - style: - default: simple - enum: - - matrix - - label - - simple - required: - const: true - required: - - required - - styles-for-header: - if: - properties: - in: - const: header - then: - properties: - style: - default: simple - const: simple - - styles-for-query: - if: - properties: - in: - const: query - then: - properties: - style: - default: form - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - - styles-for-cookie: - if: - properties: - in: - const: cookie - then: - properties: - style: - default: form - enum: - - form - - cookie - - unevaluatedProperties: false - - parameter-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/parameter' - - request-body: - $comment: https://spec.openapis.org/oas/v3.2#request-body-object - type: object - properties: - description: - type: string - content: - $ref: '#/$defs/content' - required: - default: false - type: boolean - required: - - content - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - request-body-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/request-body' - - content: - $comment: https://spec.openapis.org/oas/v3.2#fixed-fields-10 - type: object - additionalProperties: - $ref: '#/$defs/media-type-or-reference' - propertyNames: - format: media-range - - media-type: - $comment: https://spec.openapis.org/oas/v3.2#media-type-object - type: object - properties: - description: - type: string - schema: - $dynamicRef: '#meta' - itemSchema: - $dynamicRef: '#meta' - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - prefixEncoding: - type: array - items: - $ref: '#/$defs/encoding' - itemEncoding: - $ref: '#/$defs/encoding' - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - media-type-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/media-type' - - encoding: - $comment: https://spec.openapis.org/oas/v3.2#encoding-object - type: object - properties: - contentType: - type: string - format: media-range - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - style: - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - explode: - type: boolean - allowReserved: - type: boolean - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - prefixEncoding: - type: array - items: - $ref: '#/$defs/encoding' - itemEncoding: - $ref: '#/$defs/encoding' - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false - style: - properties: - allowReserved: - default: false - explode: - properties: - style: - default: form - allowReserved: - default: false - allowReserved: - properties: - style: - default: form - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/styles-for-form' - unevaluatedProperties: false - - responses: - $comment: https://spec.openapis.org/oas/v3.2#responses-object - type: object - properties: - default: - $ref: '#/$defs/response-or-reference' - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': - $ref: '#/$defs/response-or-reference' - minProperties: 1 - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - if: - $comment: either default, or at least one response code property must exist - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': false - then: - required: [default] - - response: - $comment: https://spec.openapis.org/oas/v3.2#response-object - type: object - properties: - summary: - type: string - description: - type: string - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - content: - $ref: '#/$defs/content' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - response-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/response' - - callbacks: - $comment: https://spec.openapis.org/oas/v3.2#callback-object - type: object - $ref: '#/$defs/specification-extensions' - additionalProperties: - $ref: '#/$defs/path-item' - - callbacks-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/callbacks' - - example: - $comment: https://spec.openapis.org/oas/v3.2#example-object - type: object - properties: - summary: - type: string - description: - type: string - dataValue: true - serializedValue: - type: string - value: true - externalValue: - type: string - format: uri-reference - allOf: - - not: - required: - - value - - externalValue - - not: - required: - - value - - dataValue - - not: - required: - - value - - serializedValue - - not: - required: - - serializedValue - - externalValue - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - example-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/example' - - link: - $comment: https://spec.openapis.org/oas/v3.2#link-object - type: object - properties: - operationRef: - type: string - format: uri-reference - operationId: - type: string - parameters: - $ref: '#/$defs/map-of-strings' - requestBody: true - description: - type: string - server: - $ref: '#/$defs/server' - oneOf: - - required: - - operationRef - - required: - - operationId - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - link-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/link' - - header: - $comment: https://spec.openapis.org/oas/v3.2#header-object - type: object - properties: - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - oneOf: - - required: - - schema - - required: - - content - dependentSchemas: - schema: - properties: - style: - default: simple - const: simple - explode: - default: false - type: boolean - allowReserved: - default: false - type: boolean - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - header-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/header' - - tag: - $comment: https://spec.openapis.org/oas/v3.2#tag-object - type: object - properties: - name: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - parent: - type: string - kind: - type: string - required: - - name - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - reference: - $comment: https://spec.openapis.org/oas/v3.2#reference-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - - schema: - $comment: https://spec.openapis.org/oas/v3.2#schema-object - $dynamicAnchor: meta - type: - - object - - boolean - - security-scheme: - $comment: https://spec.openapis.org/oas/v3.2#security-scheme-object - type: object - properties: - type: - enum: - - apiKey - - http - - mutualTLS - - oauth2 - - openIdConnect - description: - type: string - deprecated: - default: false - type: boolean - required: - - type - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/security-scheme/$defs/type-apikey' - - $ref: '#/$defs/security-scheme/$defs/type-http' - - $ref: '#/$defs/security-scheme/$defs/type-http-bearer' - - $ref: '#/$defs/security-scheme/$defs/type-oauth2' - - $ref: '#/$defs/security-scheme/$defs/type-oidc' - unevaluatedProperties: false - - $defs: - type-apikey: - if: - properties: - type: - const: apiKey - then: - properties: - name: - type: string - in: - enum: - - query - - header - - cookie - required: - - name - - in - - type-http: - if: - properties: - type: - const: http - then: - properties: - scheme: - type: string - required: - - scheme - - type-http-bearer: - if: - properties: - type: - const: http - scheme: - type: string - pattern: ^[Bb][Ee][Aa][Rr][Ee][Rr]$ - required: - - type - - scheme - then: - properties: - bearerFormat: - type: string - - type-oauth2: - if: - properties: - type: - const: oauth2 - then: - properties: - flows: - $ref: '#/$defs/oauth-flows' - oauth2MetadataUrl: - type: string - format: uri-reference - required: - - flows - - type-oidc: - if: - properties: - type: - const: openIdConnect - then: - properties: - openIdConnectUrl: - type: string - format: uri-reference - required: - - openIdConnectUrl - - security-scheme-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/security-scheme' - - oauth-flows: - type: object - properties: - implicit: - $ref: '#/$defs/oauth-flows/$defs/implicit' - password: - $ref: '#/$defs/oauth-flows/$defs/password' - clientCredentials: - $ref: '#/$defs/oauth-flows/$defs/client-credentials' - authorizationCode: - $ref: '#/$defs/oauth-flows/$defs/authorization-code' - deviceAuthorization: - $ref: '#/$defs/oauth-flows/$defs/device-authorization' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - $defs: - implicit: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - password: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - client-credentials: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - authorization-code: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - device-authorization: - type: object - properties: - deviceAuthorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - deviceAuthorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - security-requirement: - $comment: https://spec.openapis.org/oas/v3.2#security-requirement-object - type: object - additionalProperties: - type: array - items: - type: string - - specification-extensions: - $comment: https://spec.openapis.org/oas/v3.2#specification-extensions - patternProperties: - '^x-': true - - examples: - properties: - example: true - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - not: - required: - - example - - examples - - map-of-strings: - type: object - additionalProperties: - type: string - - styles-for-form: - if: - properties: - style: - const: form - required: - - style - then: - properties: - explode: - default: true - else: - properties: - explode: - default: false diff --git a/tests/schema/fail/encoding-enc-item-exclusion.yaml b/tests/schema/fail/encoding-enc-item-exclusion.yaml deleted file mode 100644 index e0c7e03b8e..0000000000 --- a/tests/schema/fail/encoding-enc-item-exclusion.yaml +++ /dev/null @@ -1,13 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-prefixEncoding-not-allowed: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - prefixEncoding: [] diff --git a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml deleted file mode 100644 index 9ed8c09c18..0000000000 --- a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml +++ /dev/null @@ -1,13 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-itemEncoding-not-allowed: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - itemEncoding: [] diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml deleted file mode 100644 index aa8227817d..0000000000 --- a/tests/schema/fail/example-examples.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 - -# this example should fail, as example cannot be used together with examples. - -info: - title: API - version: 1.0.0 -components: - parameters: - animal: - name: animal - in: header - schema: {} - example: bear - examples: - a mammalian example: - dataValue: bear diff --git a/tests/schema/fail/example-object-old-exclusions.yaml b/tests/schema/fail/example-object-old-exclusions.yaml deleted file mode 100644 index 37be07da1c..0000000000 --- a/tests/schema/fail/example-object-old-exclusions.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - value: foo - externalValue: https://example.com/foo diff --git a/tests/schema/fail/example-object-old-vs-data.yaml b/tests/schema/fail/example-object-old-vs-data.yaml deleted file mode 100644 index f52e7feb0e..0000000000 --- a/tests/schema/fail/example-object-old-vs-data.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - NoValueWithDataValue: - value: foo - dataValue: foo diff --git a/tests/schema/fail/example-object-old-vs-ser.yaml b/tests/schema/fail/example-object-old-vs-ser.yaml deleted file mode 100644 index 43ba991e4e..0000000000 --- a/tests/schema/fail/example-object-old-vs-ser.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - value: foo - serializedValue: foo diff --git a/tests/schema/fail/example-object-ser-exclusions.yaml b/tests/schema/fail/example-object-ser-exclusions.yaml deleted file mode 100644 index 3a6bc01e21..0000000000 --- a/tests/schema/fail/example-object-ser-exclusions.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - serializedValue: foo - externalValue: https://example.com/foo diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml deleted file mode 100644 index b3aa50a6c8..0000000000 --- a/tests/schema/fail/invalid_schema_types.yaml +++ /dev/null @@ -1,12 +0,0 @@ -openapi: 3.2.0 - -# this example shows invalid types for the schemaObject - -info: - title: API - version: 1.0.0 -components: - schemas: - invalid_null: null - invalid_number: 0 - invalid_array: [] diff --git a/tests/schema/fail/media-type-enc-item-exclusion.yaml b/tests/schema/fail/media-type-enc-item-exclusion.yaml deleted file mode 100644 index 5bcf06a94d..0000000000 --- a/tests/schema/fail/media-type-enc-item-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-itemEncoding-not-allowed: - content: - multipart/mixed: - encoding: {} - itemEncoding: {} diff --git a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml deleted file mode 100644 index 2f19064c22..0000000000 --- a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-prefixEncoding-not-allowed: - content: - multipart/mixed: - encoding: {} - prefixEncoding: [] diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml deleted file mode 100644 index 3c38be021d..0000000000 --- a/tests/schema/fail/no_containers.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) - -info: - title: API - version: 1.0.0 diff --git a/tests/schema/fail/operation-object-query-with-querystring.yaml b/tests/schema/fail/operation-object-query-with-querystring.yaml deleted file mode 100644 index 5046d9c73c..0000000000 --- a/tests/schema/fail/operation-object-query-with-querystring.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - get: - description: a query parameter cannot be used together with a querystring parameter - parameters: - - name: myquerystring - in: querystring - content: - application/json: - schema: - type: string - - name: myquery - in: query - schema: - type: string diff --git a/tests/schema/fail/operation-object-two-querystrings.yaml b/tests/schema/fail/operation-object-two-querystrings.yaml deleted file mode 100644 index 35cebf0a3c..0000000000 --- a/tests/schema/fail/operation-object-two-querystrings.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - get: - description: querystring cannot be used twice - parameters: - - name: myquerystring1 - in: querystring - content: - application/json: - schema: {} - - name: myquerystring2 - in: querystring - content: - application/json: - schema: {} diff --git a/tests/schema/fail/parameter-object-content-not-with-style.yaml b/tests/schema/fail/parameter-object-content-not-with-style.yaml deleted file mode 100644 index 7a16b89aa8..0000000000 --- a/tests/schema/fail/parameter-object-content-not-with-style.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - parameters: - content-not-with-style: - in: querystring - name: json - content: - application/json: - schema: - type: object - style: simple diff --git a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml deleted file mode 100644 index 4f4cf98666..0000000000 --- a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - parameters: - querystring-not-with-schema: - in: querystring - name: json - schema: - type: object diff --git a/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml b/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml deleted file mode 100644 index f068406b68..0000000000 --- a/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml +++ /dev/null @@ -1,64 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - get: - description: Returns pets based on ID - summary: Find pets by ID - operationId: getPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - parameters: - - name: id - in: path - description: ID of pet to use - required: true - schema: - type: array - items: - type: string - style: simple - additionalOperations: - POST: - description: Returns pets based on ID - summary: Find pets by ID - operationId: postPetsById - requestBody: - description: ID of pet to use - required: true - content: - application/json: - schema: - type: array - items: - type: string - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/fail/path-item-object-query-with-querystring.yaml b/tests/schema/fail/path-item-object-query-with-querystring.yaml deleted file mode 100644 index 6efbda4468..0000000000 --- a/tests/schema/fail/path-item-object-query-with-querystring.yaml +++ /dev/null @@ -1,19 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - parameters: - - name: myquerystring - in: querystring - content: - application/json: - schema: - type: string - - name: myquery - in: query - schema: - type: string - get: {} diff --git a/tests/schema/fail/path-item-object-two-querystrings.yaml b/tests/schema/fail/path-item-object-two-querystrings.yaml deleted file mode 100644 index daf5caa494..0000000000 --- a/tests/schema/fail/path-item-object-two-querystrings.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - description: querystring cannot be used twice - parameters: - - name: myquerystring1 - in: querystring - content: - application/json: - schema: {} - - name: myquerystring2 - in: querystring - content: - application/json: - schema: {} - get: {} diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml deleted file mode 100644 index db4b970ced..0000000000 --- a/tests/schema/fail/server_enum_empty.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as the server variable enum is empty, and so does not contain the default value - -info: - title: API - version: 1.0.0 -servers: - - url: https://example.com/{var} - variables: - var: - enum: [] - default: a -components: {} diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml deleted file mode 100644 index 1b5e2d5fc8..0000000000 --- a/tests/schema/fail/servers.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 - -# this example should fail, as servers must be an array, not an object - -info: - title: API - version: 1.0.0 -paths: {} -servers: - url: /v1 - description: Run locally. diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml deleted file mode 100644 index c0a4b8bb7e..0000000000 --- a/tests/schema/fail/unknown_container.yaml +++ /dev/null @@ -1,8 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as overlays is not a valid top-level object/keyword - -info: - title: API - version: 1.0.0 -overlays: {} diff --git a/tests/schema/fail/xml-attr-exclusion.yaml b/tests/schema/fail/xml-attr-exclusion.yaml deleted file mode 100644 index b48a02d1a5..0000000000 --- a/tests/schema/fail/xml-attr-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - Attr: - type: string - xml: - attribute: true - nodeType: attribute diff --git a/tests/schema/fail/xml-wrapped-exclusion.yaml b/tests/schema/fail/xml-wrapped-exclusion.yaml deleted file mode 100644 index 74f8ea512e..0000000000 --- a/tests/schema/fail/xml-wrapped-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - List: - type: array - xml: - wrapped: true - nodeType: element diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml deleted file mode 100644 index 7a7f86f070..0000000000 --- a/tests/schema/pass/callback-object-examples.yaml +++ /dev/null @@ -1,30 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml deleted file mode 100644 index 5178c1f56b..0000000000 --- a/tests/schema/pass/comp_pathitems.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: {} diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml deleted file mode 100644 index 33a56e608f..0000000000 --- a/tests/schema/pass/components-object-example.yaml +++ /dev/null @@ -1,71 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - GeneralError: - type: object - properties: - code: - type: integer - format: int32 - message: - type: string - Category: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - Tag: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - parameters: - skipParam: - name: skip - in: query - description: number of items to skip - required: true - schema: - type: integer - format: int32 - limitParam: - name: limit - in: query - description: max records to return - required: true - schema: - type: integer - format: int32 - responses: - NotFound: - description: Entity not found. - IllegalInput: - description: Illegal input for operation. - GeneralError: - description: General Error - content: - application/json: - schema: - $ref: '#/components/schemas/GeneralError' - securitySchemes: - api_key: - type: apiKey - name: api-key - in: header - petstore_auth: - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.org/api/oauth/dialog - scopes: - write:pets: modify pets in your account - read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml deleted file mode 100644 index af8cc255f0..0000000000 --- a/tests/schema/pass/example-object-examples.yaml +++ /dev/null @@ -1,64 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - with-example: - content: - 'application/json': - schema: - $ref: '#/components/schemas/Address' - examples: - foo: - summary: A foo example - value: - foo: bar - bar: - summary: A bar example - value: - bar: baz - application/xml: - examples: - xmlExample: - summary: This is an example in XML - externalValue: https://example.org/examples/address-example.xml - text/plain: - examples: - textExample: - summary: This is a text example - externalValue: https://foo.bar/examples/address-example.txt - parameters: - with-example: - name: zipCode - in: query - schema: - type: string - format: zip-code - examples: - zip-example: - $ref: '#/components/examples/zip-example' - responses: - '200': - description: your car appointment has been booked - content: - application/json: - schema: - $ref: '#/components/schemas/SuccessResponse' - examples: - confirmation-success: - $ref: '#/components/examples/confirmation-success' - application/x-www-form-urlencoded: - schema: - type: object - properties: - jsonValue: - type: string - encoding: - jsonValue: - contentType: application/json - examples: - jsonFormValue: - description: 'The JSON string "json" as a form value' - dataValue: json - serializedValue: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml deleted file mode 100644 index 4122c75c61..0000000000 --- a/tests/schema/pass/header-object-examples.yaml +++ /dev/null @@ -1,26 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - deprecated: false - schema: - type: integer - ETag: - required: true - content: - text/plain: - schema: - type: string - pattern: ^" - Reference: - $ref: '#/components/schemas/ETag' - Style: - schema: - type: array - style: simple - explode: true - allowReserved: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml deleted file mode 100644 index 1d36bef06c..0000000000 --- a/tests/schema/pass/info-object-example.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# including External Documentation Object Example -openapi: 3.2.0 -$self: https://example.com/openapi -info: - title: Example Pet Store App - summary: A pet store manager. - description: This is an example server for a pet store. - termsOfService: https://example.com/terms/ - contact: - name: API Support - url: https://www.example.com/support - email: support@example.com - license: - name: Apache 2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 1.0.1 -externalDocs: - description: Find more info here - url: https://example.com -components: {} diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml deleted file mode 100644 index 6697751d56..0000000000 --- a/tests/schema/pass/info_summary.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - summary: My lovely API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml deleted file mode 100644 index fa054c9b89..0000000000 --- a/tests/schema/pass/json_schema_dialect.yaml +++ /dev/null @@ -1,15 +0,0 @@ -openapi: 3.2.0 -info: - summary: Testing jsonSchemaDialect - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -components: - schemas: - WithDollarSchema: - $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -paths: {} diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml deleted file mode 100644 index 20d5e4368e..0000000000 --- a/tests/schema/pass/license_identifier.yaml +++ /dev/null @@ -1,9 +0,0 @@ -openapi: 3.2.0 -info: - title: API - summary: My lovely API - version: 1.0.0 - license: - name: Apache - identifier: Apache-2.0 -components: {} diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml deleted file mode 100644 index 9d471f0a03..0000000000 --- a/tests/schema/pass/link-object-examples.yaml +++ /dev/null @@ -1,66 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /users/{id}: - parameters: - - name: id - in: path - required: true - description: the user identifier, as userId - schema: - type: string - get: - responses: - '200': - description: the user being returned - content: - application/json: - schema: - type: object - properties: - uuid: # the unique user id - type: string - format: uuid - links: - address: - # the target link operationId - operationId: getUserAddress - parameters: - # get the `id` field from the request path parameter named `id` - userid: $request.path.id - address2: - operationId: getUserAddressByUUID - parameters: - # get the `uuid` field from the `uuid` field in the response body - userUuid: $response.body#/uuid - UserRepositories: - # returns array of '#/components/schemas/repository' - operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' - parameters: - username: $response.body#/username - UserRepositories2: - # returns array of '#/components/schemas/repository' - operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get - parameters: - username: $response.body#/username - withBody: - operationId: queryUserWithBody - requestBody: - userId: $request.path.id - # the path item of the linked operation - /users/{userid}/address: - parameters: - - name: userid - in: path - required: true - description: the user identifier, as userId - schema: - type: string - # linked operation - get: - operationId: getUserAddress - responses: - '200': - description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml deleted file mode 100644 index 6ace84a8d5..0000000000 --- a/tests/schema/pass/media-type-examples.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# including Encoding Object examples -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - mediaTypes: - StreamingPets: - description: | - Streaming sequence of JSON pet representations, - suitable for use with any of the streaming JSON - media types. - itemSchema: - $ref: '#components/schemas/Pet' -paths: - /something: - put: - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Pet' - examples: - cat: - summary: An example of a cat - value: - name: Fluffy - petType: Cat - color: White - gender: male - breed: Persian - dog: - summary: An example of a dog with a cat's name - value: - name: Puma - petType: Dog - color: Black - gender: Female - breed: Mixed - frog: - $ref: '#/components/examples/frog-example' - application/jsonl: - $ref: '#/components/mediaTypes/StreamingPets' - application/x-ndjson: - $ref: '#/components/mediaTypes/StreamingPets' - application/xml: - schema: - type: object - properties: - foo: - type: string - xml: - namespace: https://example.com - prefix: example - name: Foo - bar: - type: array - items: - type: number - xml: - wrapped: true - attr: - type: string - xml: - attribute: true - elementNode: - $ref: "#/components/schemas/Pet" - xml: - nodeType: element - attributeNode: - type: string - xml: - nodeType: attribute - textNode: - type: string - xml: - nodeType: text - cdataNode: - type: string - xml: - nodeType: cdata - noneNode: - type: object - xml: - nodeType: none - application/x-www-form-urlencoded: - schema: - type: object - properties: - id: - type: string - format: uuid - address: - # complex types are stringified to support RFC 1866 - type: object - properties: {} - icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. - type: string - contentEncoding: base64url - encoding: - icon: - contentType: image/png, image/jpeg - multipart/form-data: - schema: - type: object - properties: - id: - # default is `text/plain` - type: string - format: uuid - addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead - description: addresses in XML format - type: array - items: - $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary - forCoverage: - type: string - forCoverage2: - type: string - nested1: - type: object - nested2: - type: array - encoding: - addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array - contentType: application/xml; charset=utf-8 - profileImage: - # only accept png or jpeg - contentType: image/png, image/jpeg - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - forCoverage: - style: form - explode: false - allowReserved: true - forCoverage2: - style: spaceDelimited - explode: true - nested1: - contentType: multipart/form-data - encoding: - inner: {} - nested2: - contentType: multipart/mixed - prefixEncoding: - - {} - itemEncoding: {} - multipart/related: - schema: - type: array - itemEncoding: - contentType: text/plain - prefixEncoding: - - headers: - Content-Location: - schema: - type: string diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml deleted file mode 100644 index 8304fbe199..0000000000 --- a/tests/schema/pass/mega.yaml +++ /dev/null @@ -1,62 +0,0 @@ -openapi: 3.2.0 -info: - summary: My API's summary - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -paths: - /: - get: - parameters: [] - /{pathTest}: {} -webhooks: - myWebhook: - $ref: '#/components/pathItems/myPathItem' - description: Overriding description -components: - securitySchemes: - mtls: - type: mutualTLS - schemas: - Foo: - type: object - properties: - type: - const: foo - pathItems: - myPathItem: - post: - requestBody: - required: true - content: - 'application/json': - schema: - externalDocs: - description: More docs! - url: https://example.com/elsewhere.html - type: object - properties: - type: - type: string - int: - type: integer - exclusiveMaximum: 100 - exclusiveMinimum: 0 - none: - type: 'null' - arr: - type: array - $comment: Array without items keyword - either: - type: ['string','null'] - discriminator: - propertyName: type - mapping: - foo: Foo - defaultMapping: Bar - x-extension: true - anyOf: - - $ref: "#/components/schemas/Foo" - myArbitraryKeyword: true diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml deleted file mode 100644 index 8f81f7e05e..0000000000 --- a/tests/schema/pass/minimal_comp.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml deleted file mode 100644 index 0e44257ad0..0000000000 --- a/tests/schema/pass/minimal_hooks.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -webhooks: {} diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml deleted file mode 100644 index c332bba18c..0000000000 --- a/tests/schema/pass/minimal_paths.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml deleted file mode 100644 index 45506616b4..0000000000 --- a/tests/schema/pass/non-oauth-scopes.yaml +++ /dev/null @@ -1,19 +0,0 @@ -openapi: 3.2.0 -info: - title: Non-oAuth Scopes example - version: 1.0.0 -paths: - /users: - get: - security: - - bearerAuth: - - 'read:users' - - 'public' -components: - securitySchemes: - bearerAuth: - type: http - scheme: bearer - bearerFormat: jwt - description: 'note: non-oauth scopes are not defined at the securityScheme level' - diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml deleted file mode 100644 index 1e5bac29f1..0000000000 --- a/tests/schema/pass/operation-object-example.yaml +++ /dev/null @@ -1,47 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - put: - tags: - - pet - summary: Updates a pet in the store with form data - operationId: updatePetWithForm - parameters: - - name: petId - in: path - description: ID of pet that needs to be updated - required: true - schema: - type: string - requestBody: - content: - application/x-www-form-urlencoded: - schema: - type: object - properties: - name: - description: Updated name of the pet - type: string - status: - description: Updated status of the pet - type: string - required: - - status - responses: - '200': - description: Pet updated. - content: - application/json: {} - application/xml: {} - '405': - description: Method Not Allowed - content: - application/json: {} - application/xml: {} - security: - - petstore_auth: - - write:pets - - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml deleted file mode 100644 index 8a3db655ba..0000000000 --- a/tests/schema/pass/parameter-object-examples.yaml +++ /dev/null @@ -1,75 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /user/{username}: - parameters: - - name: token - in: header - description: token to be passed as a header - required: true - schema: - type: array - items: - type: integer - format: int64 - style: simple - - name: username - in: path - description: username to fetch - required: true - schema: - type: string - - name: id - in: query - description: ID of the object to fetch - required: false - schema: - type: array - items: - type: string - style: form - explode: true - - in: query - name: freeForm - schema: - type: object - additionalProperties: - type: integer - style: form - - in: query - name: coordinates - content: - application/json: - schema: - type: object - required: - - lat - - long - properties: - lat: - type: number - long: - type: number - - in: cookie - name: my_cookie1 - style: form - schema: {} - - in: cookie - name: my_cookie2 - style: cookie - schema: {} - /user: - parameters: - - in: querystring - name: json - content: - application/json: - schema: - # Allow an arbitrary JSON object to keep - # the example simple - type: object - example: - numbers: [1, 2] - flag: null diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml deleted file mode 100644 index 0ecc2d64fa..0000000000 --- a/tests/schema/pass/path-item-object-example.yaml +++ /dev/null @@ -1,74 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - get: - description: Returns pets based on ID - summary: Find pets by ID - operationId: getPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - query: - description: Returns pets based on ID - summary: Find pets by ID - operationId: queryPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - parameters: - - name: id - in: path - description: ID of pet to use - required: true - schema: - type: array - items: - type: string - style: simple - additionalOperations: - COPY: - description: Copies pet information based on ID - summary: Copies pets by ID - operationId: copyPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml deleted file mode 100644 index 7cedc5d16c..0000000000 --- a/tests/schema/pass/path_item_servers_parameters.yaml +++ /dev/null @@ -1,112 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /things: - summary: Lots of things - servers: - - url: https://things.example.com - get: - summary: Get a list of things - externalDocs: - description: Find more info here - url: https://example.com - parameters: - - $ref: '#/components/parameters/biscuit' - summary: The maximum number of things to return - description: The maximum number of things to return - responses: - default: - description: A list of things - servers: - - url: https://things.example.com - post: - deprecated: false - requestBody: - $ref: '#/components/requestBodies/ThingRequestBody' - responses: - '201': - $ref: '#/components/responses/ThingResponse' - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - $ref: '#/components/callbacks/transactionCallback' - patch: {} - delete: {} - head: {} - options: {} - trace: {} -components: - callbacks: - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - examples: - ThingExample: - summary: A thing - description: A thing - value: - id: 1 - name: Thing - links: - ThingLink: - description: A link to a thing - operationId: getThing - parameters: - thingId: '$response.body#/id' - server: - url: https://things.example.com - ThingyLink: - $ref: '#/components/links/ThingLink' - parameters: - limit: - name: limit - in: query - required: false - allowEmptyValue: false - allowReserved: false - deprecated: true - description: The maximum number of list items to return - schema: - type: integer - minimum: 0 - biscuit: - name: biscuit - in: cookie - style: form - schema: - type: string - requestBodies: - ThingRequestBody: - content: - application/json: - schema: - type: object - responses: - ThingResponse: - description: A thing - content: - application/json: - schema: - type: object diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml deleted file mode 100644 index e4876799c9..0000000000 --- a/tests/schema/pass/path_no_response.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /: - get: {} diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml deleted file mode 100644 index e79b7cd4fe..0000000000 --- a/tests/schema/pass/path_var_empty_pathitem.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /{var}: {} diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml deleted file mode 100644 index 2ee08e581e..0000000000 --- a/tests/schema/pass/paths-object-example.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets: - get: - description: Returns all pets from the system that the user has access to - responses: - '200': - description: A list of pets. - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml deleted file mode 100644 index 4da1d41bd4..0000000000 --- a/tests/schema/pass/request-body-examples.yaml +++ /dev/null @@ -1,34 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /something: - put: - requestBody: - description: user to add to the system - content: - application/json: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example - externalValue: https://foo.bar/examples/user-example.json - application/xml: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example in XML - externalValue: https://foo.bar/examples/user-example.xml - text/plain: - examples: - user: - summary: User example in plain text - externalValue: https://foo.bar/examples/user-example.txt - '*/*': - examples: - user: - summary: User example in other format - externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml deleted file mode 100644 index f55d5733ed..0000000000 --- a/tests/schema/pass/response-object-examples.yaml +++ /dev/null @@ -1,43 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - responses: - complex-object-array: - summary: Complex object array - description: A complex object array response - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/VeryComplexType' - simple-string: - description: A simple string response - content: - text/plain: - schema: - type: string - plain-text-with-headers: - description: A simple string response - content: - text/plain: - schema: - type: string - example: 'whoa!' - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - X-Rate-Limit-Remaining: - description: The number of remaining requests in the current period - schema: - type: integer - X-Rate-Limit-Reset: - description: The number of seconds left in the current period - schema: - type: integer - no-return-value: - description: object created \ No newline at end of file diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml deleted file mode 100644 index 969e66f283..0000000000 --- a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /user: - parameters: - - in: query - name: example - schema: - # Allow an arbitrary JSON object to keep - # the example simple - type: object - # DEPRECATED: don't use example keyword inside Schema Object - example: - numbers: [1, 2] - flag: null diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml deleted file mode 100644 index a6d72b9972..0000000000 --- a/tests/schema/pass/schema.yaml +++ /dev/null @@ -1,55 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -components: - schemas: - model: - type: object - properties: - one: - description: type array - type: - - integer - - string - two: - description: type 'null' - type: "null" - three: - description: type array including 'null' - type: - - string - - "null" - four: - description: array with no items - type: array - five: - description: singular example - type: string - examples: - - exampleValue - six: - description: exclusiveMinimum true - exclusiveMinimum: 10 - seven: - description: exclusiveMinimum false - minimum: 10 - eight: - description: exclusiveMaximum true - exclusiveMaximum: 20 - nine: - description: exclusiveMaximum false - maximum: 20 - ten: - description: nullable string - type: - - string - - "null" - eleven: - description: x-nullable string - type: - - string - - "null" - twelve: - description: file/binary diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml deleted file mode 100644 index d3472d5a32..0000000000 --- a/tests/schema/pass/security-scheme-object-examples.yaml +++ /dev/null @@ -1,69 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -security: - - basic: [] - - apiKey: [] - - JWT-bearer: [] - - mutualTLS: [] - - OAuth2: - - write:pets - - read:pets -components: - securitySchemes: - basic: - type: http - scheme: basic - apiKey: - type: apiKey - name: api-key - in: header - JWT-bearer: - type: http - scheme: bearer - bearerFormat: JWT - mutualTLS: - type: mutualTLS - description: Cert must be signed by example.com CA - OAuth2: - type: oauth2 - oauth2MetadataUrl: https://example.com/api/oauth/metadata - flows: - authorizationCode: - authorizationUrl: https://example.com/api/oauth/dialog - refreshUrl: https://example.com/api/oauth/refresh - tokenUrl: https://example.com/api/oauth/token - scopes: - write:pets: modify pets in your account - read:pets: read your pets - password: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - clientCredentials: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - deviceAuthorization: - deviceAuthorizationUrl: https://example.com/api/oauth/device - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - OAuth2Old: - deprecated: true - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.com/api/oauth/dialog - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - OpenIdConnect: - type: openIdConnect - openIdConnectUrl: https://example.com/api/oauth/openid - external: - $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml deleted file mode 100644 index 07992113bf..0000000000 --- a/tests/schema/pass/servers.yaml +++ /dev/null @@ -1,26 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -servers: - - url: /v1 - description: Run locally. - name: local - - url: https://production.com/v1 - description: Run on production server. - - url: https://{username}.gigantic-server.com:{port}/{basePath} - description: The production API server - variables: - username: - # note! no enum here means it is an open value - default: demo - description: A user-specific subdomain. Use `demo` for a free sandbox environment. - port: - enum: - - '8443' - - '443' - default: '8443' - basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` - default: v2 \ No newline at end of file diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml deleted file mode 100644 index 8148462f83..0000000000 --- a/tests/schema/pass/specification-extensions.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -x-tensions: specification extensions are prefixed with `x-` \ No newline at end of file diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml deleted file mode 100644 index 6e740c8df0..0000000000 --- a/tests/schema/pass/tag-object-example.yaml +++ /dev/null @@ -1,25 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -tags: - - - name: account-updates - summary: Account Updates - description: Account update operations - kind: nav - - - name: partner - summary: Partner - description: Operations available to the partners network - parent: external - kind: audience - - - name: external - summary: External - description: Operations available to external consumers - kind: audience - externalDocs: - description: Find more info here - url: https://example.com diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml deleted file mode 100644 index 43e7cdc782..0000000000 --- a/tests/schema/pass/valid_schema_types.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.1 - -# this example shows that top-level schemaObjects MAY be booleans - -info: - title: API - version: 1.0.0 -components: - schemas: - anything_boolean: true - nothing_boolean: false - anything_object: {} - nothing_object: { not: {} } - diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml deleted file mode 100644 index c0b505ac63..0000000000 --- a/tests/schema/pass/webhook-example.yaml +++ /dev/null @@ -1,35 +0,0 @@ -openapi: 3.2.0 -info: - title: Webhook Example - version: 1.0.0 -# Since OAS 3.1.0 the paths element isn't necessary. Now a valid OpenAPI Document can describe only paths, webhooks, or even only reusable components -webhooks: - # Each webhook needs a name - newPet: - # This is a Path Item Object, the only difference is that the request is initiated by the API provider - post: - requestBody: - description: Information about a new pet in the system - content: - application/json: - schema: - $ref: "#/components/schemas/Pet" - responses: - "200": - description: Return a 200 status to indicate that the data was received successfully - -components: - schemas: - Pet: - required: - - id - - name - properties: - id: - type: integer - format: int64 - name: - type: string - tag: - type: string - diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs deleted file mode 100644 index ad42b15e71..0000000000 --- a/tests/schema/schema.test.mjs +++ /dev/null @@ -1,56 +0,0 @@ -import { readdirSync, readFileSync } from "node:fs"; -import YAML from "yaml"; -import { describe, test, expect } from "vitest"; -import { registerSchema } from "@hyperjump/json-schema-coverage/vitest"; -import registerOasSchema from "./oas-schema.mjs"; - -const parseYamlFromFile = (filePath) => { - const schemaYaml = readFileSync(filePath, "utf8"); - return YAML.parse(schemaYaml, { prettyErrors: true }); -}; - -await registerOasSchema(); -await registerSchema("./src/schemas/validation/schema.yaml"); -const fixtures = './tests/schema'; - -describe("v3.2", () => { - test("schema.yaml schema test", async () => { - // Files in the pass/fail folders get run against schema-base.yaml. - // This instance is instead run against schema.yaml. - const oad = { - openapi: "3.2.0", - info: { - title: "API", - version: "1.0.0" - }, - components: { - schemas: { - foo: {} - } - } - }; - await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" - }); - - describe("Pass", () => { - readdirSync(`${fixtures}/pass`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); - await expect(instance).to.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); - - describe("Fail", () => { - readdirSync(`${fixtures}/fail`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/fail/${entry.name}`); - await expect(instance).to.not.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); -}); diff --git a/versions/3.2.0-editors.md b/versions/3.2.0-editors.md new file mode 100644 index 0000000000..fc5f990794 --- /dev/null +++ b/versions/3.2.0-editors.md @@ -0,0 +1,22 @@ +# OpenAPI Specification Editors + +## Active + +* Henry Andrews [@handrews](https://github.com/handrews) +* Jeremy Whitlock [@whitlockjc](https://github.com/whitlockjc) +* Karen Etheridge [@karenetheridge](https://github.com/karenetheridge) +* Lorna Mitchell [@lornajane](https://github.com/lornajane) +* Marsh Gardiner [@earth2marsh](https://github.com/earth2marsh) +* Miguel Quintero [@miqui](https://github.com/miqui) +* Mike Kistler [@mikekistler](https://github.com/mikekistler) +* Ralf Handl [@ralfhandl](https://github.com/ralfhandl) +* Vincent Biret [@baywet](https://github.com/baywet) + +## Emeritus + +* Ron Ratovsky [@webron](https://github.com/webron) +* Darrel Miller [@darrelmiller](https://github.com/darrelmiller) +* Mike Ralphson [@MikeRalphson](https://github.com/MikeRalphson) +* Uri Sarid [@usarid](https://github.com/usarid) +* Jason Harmon [@jharmn](https://github.com/jharmn) +* Tony Tam [@fehguy](https://github.com/fehguy) diff --git a/src/oas.md b/versions/3.2.0.md similarity index 100% rename from src/oas.md rename to versions/3.2.0.md From de2325ac03e6f45c8561998eee03b2b748dbb95e Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Fri, 19 Sep 2025 15:30:29 +0100 Subject: [PATCH 342/342] Set the publish date --- versions/3.2.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0794707a16..6ecea10ce4 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -4805,8 +4805,8 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | -| 3.2.0 | TBD | Release of the OpenAPI Specification 3.2.0 | -| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | +| 3.2.0 | 2025-09-19 | Release of the OpenAPI Specification 3.2.0 | +| 3.1.2 | 2025-09-19 | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification |