I have this app where I am using Swagger to show it's endpoints. I use Basic Auth and I wanted Swagger UI to make the HTTP Requests in the "Try it out" with HTTPS because of security.
In the Swagger documentation it says
This scheme must have type: http
but then, does it mean that there is no way to make a safe request using Basic Auth? I understand that the authentication method itself is "weak", but I read that it behaves like a form POST when using HTTPS.
You seem to have confused some OpenAPI keywords and HTTP concepts.
type: http in securitySchemes refers to the authentication method, in this case HTTP authentication, which refers to the use of the Authorization HTTP request header to send the credentials. Basic authentication is one of the implementations of HTTP authentication.
The http:// or https:// part of request URLs is the protocol. In OpenAPI 3, the protocol is defined as part of servers URLs. In OpenAPI 2.0, it's defined using the schemes keyword. For details, see:
A request to https://httpbin.org/basic-auth/user/passwd sent over HTTPS with Basic authentication can be defined as follows in OpenAPI 3.0:
openapi: 3.0.0
info:
title: HTTPS + Basic auth example
version: 1.0.0
servers:
- url: https://httpbin.org
components:
securitySchemes:
basicAuth:
type: http
scheme: basic
description: Use `user` / `passwd` as the test credentials
paths:
/basic-auth/user/passwd:
get:
security:
- basicAuth: []
responses:
'200':
description: OK
'401':
description: Unauthorized. The username or password provided is incorrect.