Support all HTTP Methods

[mightytyphoon]

Feature Request

OpenApi support for all http methods

RFC 2616 updated by RFC 7231 (errata list for 7231)

• OPTIONS
• GET
• HEAD
• POST
• PUT
• DELETE
• TRACE
• CONNECT

RFC 2518 updated by RFC 4918 and RFC 5689 for MKCOL

• PROPFIND
• PROPPATCH
• MKCOL
• COPY
• MOVE
• LOCK
• UNLOCK

RFC 3253 (errata list for 3253)

• VERSION-CONTROL
• REPORT
• CHECKOUT
• CHECKIN
• UNCHECKOUT
• MKWORKSPACE
• UPDATE
• LABEL
• MERGE
• BASELINE-CONTROL
• MKACTIVITY

RFC 3648

• ORDERPATCH

RFC 3744 (errata list for 3744)

• ACL

RFC 5323

• SEARCH

draft ietf httpbis safe method w body 03

• QUERY

draft snell link method 01

• LINK
• UNLINK

Related Issues

#658
#1306
#480
swagger-api/swagger-core#1760

Iana link

Another link with methods and their RFC : iana

This post will be re-edited soon to add a small description for all methods

Regards.

[MikeRalphson]

HEAD has been supported since at least Swagger v1.2

[mightytyphoon]

@MikeRalphson updated, thanks.

[MikeRalphson]

Given the mission statement of the OAS as "standardizing on how REST APIs are described" could you expand on how some of these HTTP methods are being used within REST APIs (e.g. the WebDav methods are often seen as tied only to that protocol by their definitions)?

[mightytyphoon]

Given the mission statement of the OAS as "standardizing on how REST APIs are described" could you expand on how some of these HTTP methods are being used within REST APIs (e.g. the WebDav methods are often seen as tied only to that protocol by their definitions)?

Yes I think during next week I will edit this post to describe the methods, if they have a body, header, query, etc... how they should be used and some examples. I think it's what you want, if I understood your answer correctly ?

There is an inherent problem with REST because it wants to be very close to CRUD (Create, Read, Update, Delete) and even SCRUD (S for Search), but a REST API does so much more, like letting users subscribing and unsubscribing to a subject, users also want to connect to the API to have their data saved and secured, they will want to copy something, to move some datas, to lock their account, etc... that's what all these additional methods were made for.

For example to lock your account you could do a post to /accounts/lock with your token in header and in the post body add a parameter 'lock = true' but REST could handle it with just a LOCK request to /accounts and the token as a cookie header (or some encrypted data from localstorage as a token) which makes code clearer and really use the HTTP method verbose to add some logic in requests.

lock/unlock are described here as 'lock model'.

GET will have query params, with optional body, whereas HEAD will have no body and POST has an obligation to have a body, then responses can have a body or not depending on the method. So I have some research to do on this to give the right definitions, I will update very soon.

From wikipedia : http methods

Also there should be some methods to ignore, for example CONNECT which was made to create an ssl tunnel has, I think, no use anymore now with SSL/TLS certificates. But some could find a use for it, if they want to keep an http server and then control https connections opening.

CONNECT METHOD description on mozilla

EDIT : I also want to add that express supports these methods :

Express supports the following routing methods that correspond to HTTP methods: get, post, put, head, delete, options, trace, copy, lock, mkcol, move, purge, propfind, proppatch, unlock, report, mkactivity, checkout, merge, m-search, notify, subscribe, unsubscribe, patch, search, and connect.

source

[MikeRalphson]

lock/unlock are described here as 'lock model'.

But my point is that LOCK and UNLOCK as defined there are for use within the WebDAV protocol. They have no defined meaning (on their own) outside that protocol. They may be tied to specific XML request / response formats (forgive me, it has been a long time since I read the WebDAV RFCs).

A picture may be worth a thousand words:

[darrelmiller]

I'd be open to considering allowing HTTP method be an unconstrained string. I wouldn't want to re-enumerate all the methods in the IANA registry in the OpenAPI spec. We should consider what benefit tooling derives from it being an enumerated type.

p.s. Wow, that Wikipedia table is misleading. Describing a GET body as optional is just terrible.

[handrews]

Describing a GET body as optional is just terrible.

Far too many people don't seem to understand that "has no defined semantics" is standards-ese for "FFS don't do this!" and not "sure, do whatever!"

[cmheazel]

What is the expected behavior if my Path Item Object has an x-lock field associated with an Operation Object? Would that add Lock to the set of supported HTTP operations? If not, what else do we need to introduce these operations as Draft Features?

[MikeRalphson]

Extensions such as x-lock only have the meaning you give them and agree with third parties. Nothing more.
Methods LOCK and UNLOCK only have defined meanings within the WebDAV protocol nowhere else. Outside of WebDAV their meaning also has to be mutually agreed by all parties.

[cmheazel]

@MikeRalphson Agreed. That is the nature of extensions. But if we can add HTTP operations using the extension mechanism, then we can use the Draft Feature process to measure demand. Draft Feature operations which are not implemented could be safely abandoned. Start with four or five of the least controversial ones.

[MikeRalphson]

I'm not against that in principle, like @darrelmiller says, maybe open it up with an extension which allows any HTTP method?

[egriff38]

Hello there, does anyone know if any effort has been made to create an extension which broadens the HTTP methods that can be described in Open API 3? Would like to take advantage of the SEARCH verb in my API but it looks like I am limited in my documentation at this time.

[ioggstream]

Given the ongoing work on HTTP & HTTPAPI I really suggest that we should:

• delegate methods support to HTTP
• add interoperability considerations suggesting to limit to the methods referenced in 7231 or I-D httpbis-latest
• include the fact that tooling might not supporting methods outside 7231

cc: @MikeRalphson @darrelmiller

[philsturgeon]

I'd support changing it to "any method defined in RFC 7231 and RFC 5323" but I'm not sure what value adding all those other ones provides?

I think its a little telling that SEARCH was what necro bumped this otherwise inactive topic. Probably just SEARCH is fine.

[ioggstream]

@philsturgeon I just won't ossify OAS with method decisions which are outside the OAS scope.
If we want to provide stuff for implementers, we can say:

• implementers MUST support methds defined in 7231;
• implementers MAY support the other methods reported in the IANA table (see httpbis-semantics).

imho stuffing HTTP elements into OAS could provide more harm than benefits because iwe have no guarantee that the interpretation of HTTP we put into OAS is consistent with the latest specs (eg. see https://github.com/httpwg/http-core/pull/653/files).

My 2¢, and thanks for you time!

[philsturgeon]

@ioggstream I don't understand any individual parts of that reply let alone all of it together. I was saying "+ SEARCH" would be a good enough change to satisfy this issue because its the only one people seem all that fussed about.

[ioggstream]

@philsturgeon my opinion is that OAS should not constraint the possible set of http methods. This is because the HTTP specs are the place where methods are defined.

For interoperability reason, OAS could state that tooling implementers MUST support at least the methods defined in RFC7231.

Stating that methods outside RFC7231 are not supported at all is a imho weak design choice.

[karenetheridge]

I found this issue because I am writing a document that describes a "PURGE" endpoint, which is a non-standard HTTP method but none-the-less is very much in use in my application. Supporting any method matching the pattern "^[a-z]+$" would be very simple and straightforward; much more so than attempting to define a mechanism by which additional HTTP methods could be defined.

[bdunavant]

I found this issue because I'm writing docs to describe a MERGE endpoint (which is OData 1.0 and OData 2.0, but not HTTP spec), and really should have been written as PATCH but someone made an unfortunate decision years ago and that ship has sailed. While I understand OpenAPI's mission is documenting true REST, adding this flexibility will help a lot in places where someone made poor choices and/or didn't understand REST very well, and the rest of us have to live with it.

[eli-darkly]

My preference would be to have it allow any string, for the same reason @darrelmiller mentioned above. Really the decision of whether any given method is or isn't valid is the business of the service endpoint implementation; I don't see any value gained by having a general-purpose API tool make its own judgments on that.

However, if it is necessary to pick specific methods, I'll add one thing specifically about the REPORT verb. While it unfortunately is sometimes not allowed by HTTP clients, REPORT fills a specific need in HTTP APIs by being the method that 1. has a request body, 2. is idempotent, 3. is cacheable. GET can't (or shouldn't) have a body; POST isn't idempotent. Basically REPORT is what you would use if you want GET-like semantics but can't fit all the parameters into the URL.

[wparad]

I feel like step 1 is get published an RFC that has REPORT, QUERY, or SEARCH, then step 2 is add it. We don't need to support it be completely agnostic, while it's a great idea, and why would this tool restrict what is allowed...fundamentally there are tools that use this to implement and automate the spec. It doesn't do any good to enable bad patterns. We should enable good patterns, okay patterns, and necessary patterns. I need SEARCH and I love REPORT exists for webdav, but it doesn't exist for REST, and even if it did, non of the clouds support these verbs, so it wouldn't even have a real usage.

Help me get REPORT published to the right working group, and then it will defacto have to be added here. If we need another one, let's go through a similar process.

[eli-darkly]

@wparad:

fundamentally there are tools that use this to implement and automate the spec. It doesn't do any good to enable bad patterns

I don't understand what's meant by "bad patterns" here. Documenting the actual behavior of a web service is not a bad pattern, even if you feel that the web service should have used a more standard HTTP method. The person writing up an OpenAPI spec may not be the person who implemented the service, and may not have any control over its behavior, so punishing them by making it impossible for them to write such a spec is not helpful.

it doesn't exist for REST

There isn't a canonical REST specification that says what methods exist or do not exist. There are only conventions.

and even if it did, none of the clouds support these verbs, so it wouldn't even have a real usage

I don't understand this statement either. Whatever set of commonly used web hosts you're referring to as "the clouds", those are not the only hosts that could be running services that have an OpenAPI spec. OpenAPI can be used for literally any HTTP application.

[SVilgelm]

Please add the QUERY method: https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/

[lornajane]

That's not quite what I was trying to say about Overlays although it's certainly a valid point and for an Overlay that's used for multiple OpenAPI descriptions, it would make upgrading those versions harder.

The use case I tried to mention on the call is where an Overlay is used to add an operation (something like the approach here: https://apichangelog.substack.com/p/using-openapi-overlays ) - because we're changing what syntax we're allowing, I think this will get messy for a lot of existing pipelines, and will be a lot messier by the time many people are able to upgrade to 3.2 where Overlays is already seeing adoption in the 3.1 space.

Looking at the problem again, I think my preferred options are:

• expand the existing list of hardcoded field names that are allowed and supported as siblings to the current get/post set. It's not perfect and it's not future proof but it's a very easy way to expand our existing 3.x standard with some new options and very easy to understand.
• or (my preferred option now I've talked it over with a few people) as a simpler of the subobject approach: add the ability to support any additional HTTP method (but not the ones already named) under an extendedMethods section at the same level as our current get/post/put set. This way, we're opening up to add anything that's needed, but no existing OpenAPI description needs changes, now or ever. It will be a bit more complicated for anyone adding operations that handle both the existing methods and the additional ones, and I acknowledge that. I expect users and tool vendors who need additional HTTP verbs to be able to handle the complexity. It's also a very clear separate feature that tooling can say whether it supports or not - and because it's separate and makes no changes to existing content on upgrade, could also easily be implemented as x-extendedMethods in earlier versions if a tool wanted to support it there.

[lornajane]

Overlays cannot be used as a migration tool. The existing content of the document is not available as an input in a (v1) Overlay.

[handrews]

I'm concerned about Overlays suddenly adding even more restrictions on what we can and cannot do in a minor version change. This is going to make it very hard to deliver Moonwalk in meaningful increments.

While this limited case can be worked around, we will not be able to work around the identical concern when we revamp parameters for 3.3. The entire point is that the current parameter syntax is too complex and rickety to extend further. If people want to use new parameter features in 3.3, they will need to migrate to a new way of doing it for that operation.

There is always a migration cost. This is not so much about HTTP methods as it is figuring out how to amortize the migration cost effectively.

We should also look at what could be done on the Overlay side in an Overlay 1.1 (which I know was not in the plan, but perhaps it should be if it's going to constrain what the OAS can do). Adding limited semantic selection capabilities of some sort would also solve this by separating the meaning of the overlay from the exact syntax of the OAS.

Again, change has a cost. We want to amortize the big-bang change of Moonwalk across steps in 3.x (because we've seen how hard big bang changes are), and we want to make sure that none of our specs (OAS, Arazzo, Overlay) become a problematic constraint on the other. That means considering whether a difficult interaction is best fixed in one vs the other spec.

This does not mean that all migration costs should be pushed into 3.x. If something (possibly even a parameters revamp) is still too "big bang" in 3.x then we need to figure out whether to move ahead or to make the 4.0 big bang bigger. I don't know the answer to that at this stage.

Getting back to HTTP, if this is a problem for Overlays, the solution might lie in changing Overlays rather than restricting OAS. And again, we should not think of this as a one-off. As a one-off, it doesn't much matter. But that is the problem with a lot of the OAS (ahem, parameters). Too many one-offs that add up to a lot of complexity and no patterns to make it easier.

[handrews]

I'd like to tie two of my previous comments together here. I previously mentioned that at the document (DOM) layer, the different options under consideration are significant, but at the semantic layer (ADA), they are all the same.

This is where I think it would be good to start aligning OAS, Arazzo, and Overlays in terms of how we think about changes in any one of these three impacting the other two. We want 4.0 (Moonwalk) to be build around the DOM/ADA (document vs semantic layer) concept, and we need to start introducing it now to get the community ready for it.

To me, this means leveraging the idea of two layers when we want to make a change like this. And for Arazzo and Overlays, both of which operate on an OAD by different query/selection languages, this means moving their divergent mechanisms closer to a unified semantic level. I do NOT mean moving everything to a semantic level immediately. The goal is to introduce this gradually.

---

What this means is that we can use methods as a trial introduction of the two-layer idea. Describe it in 3.2 in such a way that encourages tools to abstract away the difference between how "old" and "new" methods work- regardless of the syntax chosen. There will always be some syntactical awkwardness no matter what we choose (unless we continue to restrict to a pre-defined set, but I'm going to fight very, very hard against that option). So we want to discourage tool developers from reifying that awkwardness, and encourage them to instead treat HTTP methods (and the Operations they represent) as semantic elements within a Path Item, not field names in a JSON/YAML object namespace.

This can go with tweaks to the other specifications to require a limited semantic match. What that means is not clear, and no doubt will produce a lively discussion. But again, cautious incrementalism is the goal here. Let's use 3.2 (and perhaps 1.1 of the other two specs? paging @frankkilcommins to get an Arazzo perspective) to try out a tiny bit of semantic abstraction with HTTP methods, and see how we can make use of that in the other specs. This way, when we get to the much more complex abstractions needed to incorporate 3.3 and later, we'll have some idea of what works and what does not.

A small feature like HTTP method expansion is an ideal way to try out this two-layer concept and figure out its implications across all of our specifications.

[lornajane]

I think there is a risk that we are overcomplicating this request for additional HTTP method support that could make it difficult to make available in a timely manner. Let's pick a subobject name and allow additional method names there to meet the original issue requirements and maintain backward compatibility and an easy upgrade path in the 3.x branch.

[handrews]

@lornajane I think there is a deeper issue here as I have said about compatibility, DOM/ADA, and how the three specs work together. I would like to discuss it at least a little more as we have not even addressed it in a meeting yet.

[handrews]

@lornajane I'll also note that the position you're taking here makes my entire approach for 3.3 invalid. So if this is the direction we're going to go in, then we need to reconsider the 3.2 vs 3.3 split, because there's no point in doing the 3.3 I had envisioned. (this might be fine, it just needs to be considered)

[handrews]

There is another wrinkle here, which is that people rely on the special Path Item Object $ref semantics to combine operations, and we would need to preserve that.

To me, this is another reason to just have a new alternative alongside the old way, because the old way (between the problematically special $ref and the miscapitalized and limited set of methods) just has too many problems to keep "fixing" with more band-aids.

If we have a new methods field that MUST NOT be combined with any of ($ref, get, put, etc.), we could define a sane, consistent way to assemble a set of Operations from multiple sources. We might need to think about how people use $ref with parameters as that would be outside of the new methods field, but we already know we'd like to get rid of the special Path Item $ref, and just have not been able to figure out how to do it.

This could be a path.

[handrews]

In today's Overlays meeting (which @lornajane was unable to attend), @mikekistler demonstrated how challenging it is to get the correct JSONPath expression to select a particular operation by method name and Operation Object field value. This naturally led into a discussion of how much more difficult it is to create that expression when a Path Item Object uses $ref (as noted in the previous comment here).

We talked about the possibility of a hybrid approach to introduce an experimental, limited mechanism for selecting operations. This could build on the existing JSONPath approach, e.g. using JSONPath to select the correct entry in the Paths Object but then being able to say "give me all operations" or "give me operations with field X set to value Y" semantically, so that the use of $ref (and the choice of how to arrange new vs old methods that we're debating here) is irrelevant.

This discussion carried over into the Moonwalk meeting, where folks were in favor of using 3.2 to add an experimental semantic model for this specific area that would support that semantic model.

@mikeschinkel noted that we'll need to define "experimental" formally in order to correctly set expectations around this. What we want is for tool vendors to be motivated to try this, but also to see that it is not locked-in and that there is an opportunity to influence htis before it becomes locked-in. I noted that formally defining "deprecated" is related to this, as both are ways to modify the compatibility guarantees. @mikeschinkel was kind enough to file #4325 to track this.

I'm going to work on what a semantic model might look like and hopefully have something to show at the next TDC call on Thursday. It is trickier than it first appears because of webhooks and callbacks.

[lornajane]

Looping back around to this again, because I know we don't want to lose sight of it.

The goal: support more HTTP methods; at a minimum add QUERY for 3.2, but more/all methods seems to be desirable. In the past we've taken the view that we're aiming to support RESTful API users only, but my impression now is that we're more open to letting people take responsibility for their own decisions rather than us introducing limitations in the specification.

We currently have alongside other fields get, post, put, patch and delete as field names. Because there are siblings at this level, it's probably unwise to allow free text fields for any HTTP method names in here and I think we did get wide agreement on this part.

I propose that we add extendedMethods and allow any field name NOT already supported there, using lowercase for consistency. The influences that lead me to this option as my own preference are mostly:

• A clear, additive-only experience for existing 3.x users (and a clear reason to upgrade!)
• No disruptive situations where if a user changes one part of their API description, another part becomes invalid.
• Clear separation between existing features and 3.2+ features for tooling vendors to implement.

As an additional note, there are a few mentions about Overlays being a blocker to some of the other proposed alternatives, and I don't see that as a fair reflection of the situation because there's nothing special about Overlays used in an API description pipeline. If a user has any OpenAPI transform steps in use, then any situation where an edit in one part of an API description causing knock-on changes in another part will be a problem. Plenty of teams have the odd mad regex in play, and they'd have the same surprises as an Overlays user.

[ralfhandl]

add extendedMethods and allow any field name NOT already supported there

I fully agree, that is the least disruptive way forward

using lowercase for consistency

Here I disagree: extendedMethods is a new sub-structure that can follow its own rules.

Consistency with RFC9110 is more important to me than consistent "styling" within the OAS. Let's follow RFC9110, section 9 and avoid problems for API owners that use case-sensitive non-standard method names and rely on the API clients to use exact casing of these method names:

The method token is case-sensitive because it might be used as a gateway to object-based systems with case-sensitive method names. By convention, standardized methods are defined in all-uppercase US-ASCII letters.

[handrews]

@ralfhandl I agree with your take, the new Object should follow RFC9110, not our earlier mistake. I'm dropping the other proposal in favor of your modification of @lornajane's proposal.

I prefer additionalMethods over extendedMethods as there is no meaningful sense in which the added methods are "extended" (we already include a patch field, which was not in the original method set, and we already exclude methods that were registered before the PATCH method was registered). additionalMethods is appropriately neutral in tone.

there's nothing special about Overlays used in an API description pipeline

@lornajane I do disagree here. Overlays is our spec, and we have to establish what compatibility means when we control both specs. I'm still unhappy that this is imposing previously-unheard-of constraints on our compatibility story, which is already extremely restrictive. But I don't have the bandwidth to argue it now so I'm giving up on it for HTTP methods. But it is very different than people making ad-hoc tools. We need to have a clear policy on how our specs interact with each other, and we don't, and that's our problem. What other people assume in their ad-hoc tooling, despite their assumptions not being supported by the OAS at all, is not our problem in terms of formal guarantees.

[baywet]

Hey everyone,
Just a small nitpicking on the naming. If we end up on an additional field at the path item level (which I support), I think we should make sure it has operation in the name (e.g. additionalOperations, or operations) since this is effectively a "collection of operations objects" and using method or something else would probably confuse people?

[ralfhandl]

I favor additionalOperations as these Operation Objects are in addition to the ones with fixed names (get, ...).

[kevinswiber]

I can get down with additionalOperations, but are you sure we can't just add query and call it a day until the next major release?

[handrews]

@kevinswiber we definitely have people wanting to use other methods, or custom methods. Why the pushback?

[kevinswiber]

@handrews I was just doing one last call out for keeping it simple to bring us back around. We go design down rabbit holes sometimes. If folks are good moving forward, let's go.

[lornajane]

I'm happy to move forward, it was a long comment thread but I think I can summarise it as: we're going to add additionalOperations to the PathItem object (as a sibling to get and post), and allow any string as a key (but link to some list of HTTP methods for what those values should be), and use an Operation object as a value.

@baywet does this give you what you need?

[handrews]

@kevinswiber @lornajane if we want to make query one more "special" method since it seems to be the main request and almost to IETF/IANA published status, and then also have additionalOperations for anything beyond that, I would be OK with that as well.

One advantage is that over time, we could more easily survey for usage of additionalMethods for things we don't expect, as opposed to query, which we do expect. But I'm also fine wiht relegating QUERY to additionalOperations

[handrews]

@kevinswiber @baywet I think both of you have talked about writing a PR? I don't care who does it, but if neither of you have bandwidth just lmk and I'll add it to my queue.

[baywet]

I'm happy to move forward, it was a long comment thread but I think I can summarise it as: we're going to add additionalOperations to the PathItem object (as a sibling to get and post), and allow any string as a key (but link to some list of HTTP methods for what those values should be), and use an Operation object as a value.

@baywet does this give you what you need?

It does, I think the crowd here has reached a consensus, and I'm happy to work on that :)

[baywet]

I just put together #4514

[ScotMeyer]

Do I understand correctly that it's just adding query? The request, over 5 years ago, was more than just query. So how many more years will it be until the next version? It seems to me that those developers and architects that wanted additional methods or operations or whatever we call them that it was not engrained in the spec but follows RFC9110. Methods always made sense to me as the spec refers to these verbs as Methods.

9.1 ...
Additional methods, outside the scope of this specification, have been specified for use in HTTP. All such methods ought to be registered within the "Hypertext Transfer Protocol (HTTP) Method Registry", as described in Section 16.1."

I'm still hung on the word ought, and not the use of MUST. This to me doesn't mean MUST and therefor clients "can" request other methods not defined in RFC9110.

[ralfhandl]

Do I understand correctly that it's just adding query?

No, #4514 will add a fixed field additionalOperations that will allow using any HTTP method, even ones not yet invented such as ASK_VERY_POLITELY:

OpenAPI-Specification/tests/schema/pass/path-item-object-example.yaml

Lines 36 to 55 in cfdc4bc

	additionalOperations:
	QUERY:
	description: Returns pets based on ID
	summary: Find pets by ID
	operationId: queryPetsById
	responses:
	'200':
	description: pet response
	content:
	'*/*':
	schema:
	type: array
	items:
	$ref: '#/components/schemas/Pet'
	default:
	description: error payload
	content:
	text/html:
	schema:
	$ref: '#/components/schemas/ErrorModel'

[ScotMeyer]

@ralfhandl thank you, no intention on being rude in my last post. Just confused when I read the PR. I didn't see the example part in the file path-item-object-example.yaml initially, probably way too late at night to be reading PRs and making comments. Might I suggest this be clearer for other readers that includes and example that doesn't match a current method in the IETF RFCs, Thank you. Looking forward to this improvement!

[ralfhandl]

@ScotMeyer Sorry, I didn't find your comment rude in any way. I just wanted to play with the word "query" which to me has the the connotation of "demand".