Skip to content

Security key doesn't respect endpoint explicitly setting anonymous access (via {}) #1372

New issue
New issue
Open
Open
Security key doesn't respect endpoint explicitly setting anonymous access (via {})#1372
@patcon

Description

@patcon
patcon
opened on Dec 6, 2025

Thanks for this wonderful library! It's been SO helpful :)

Describe the bug
The client args in generated methods (Client vs AuthenticatedClient) don't match those described by security in the spec, when explicitly anonymous access is permitted in an endpoint's security list, as allowed in spec:

An empty Security Requirement Object ({}) indicates anonymous access is supported. [ref, with examples]

Example:

  /auth-optional-explicit:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: Client | AuthenticatedClient)
        - {}
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK

This is due to this line

openapi-python-client/openapi_python_client/parser/openapi.py

Line 423 in 49fa8fc

requires_security=bool(data.security), 

>>> bool([])
False
>>> bool([{"ApiKeyAuth": []}])
True
>>> bool([{"ApiKeyAuth": []}, {}])
True
>>> bool([{}])
True

We would want the last two to return False. We should check if {} is anywhere in a list (when it's a list).

This would do the trick:

requires_security_check = lambda sec: bool(sec or []) and {} not in (sec or [])

OpenAPI Spec File

openapi: 3.1.0
info:
  title: Security Test API
  version: 1.0.0
servers:
  - url: https://example.com
paths:
  /no-auth-specified:
    get:
      summary: Truly anonymous
      security: []   # client: Client | AuthenticatedClient (EXPECTED: same)
      responses:
        '200':
          description: OK
  /explicit-anon:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: not sure, but def not this)
        - {}
      responses:
        '200':
          description: OK
  /auth-optional-explicit:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: Client | AuthenticatedClient)
        - {}
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK
  /auth-required:
    get:
      summary: Requires API key
      security:   # <--- client: AuthenticatedClient
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key

Desktop (please complete the following information):

  • OS: [e.g. macOS 10.15.1]
  • Python Version: [e.g. 3.8.0]
  • openapi-python-client version [e.g. 0.1.0]

Additional context
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions