setting security, causes errors. Omitting security makes our API docs less helpful. What to do?

[LewisCowlesMotive]

Hello 👋

We're transitioning from a Connexion 2 codebase to a FastAPI one, and this repo has helped us implement a middleware which enables request / response validation to continue against the spec so that we can continue to improve our API and know when things don't match our communicated contracts, for both requests and responses.

I recently picked up a file with no security entries. ReDocly rightly complained about this and the lack of servers nominated.

When I add them, we get errors from the middleware

{
    "errors":[
        {
            "title":{
                "errors": [
                    {
                        "title": "Security not found. Schemes not valid for any requirement: [["token_auth"]]",
                        "status": 403,
                        "type": "<class "openapi_core.templating.security.exceptions.SecurityNotFound">"
                    }
                ]
            },
            "status":400,
            "type":"<class 'openapi_core.validation.schemas.exceptions.InvalidSchemaValue'>"
        }
    ]
}

I've tidied this up a bit, but it seems to me like I'd like to improve both our security and the OpenAPI separately.

We are nigh-on exactly the same as https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/#describing-bearer-authentication

Someone tried to be clever and implement via type apiKey; because we technically dont' use the Authorization header (too late to change now the API has existed with this "quirk" for a while.

Anyway, in the same way response checking is disabled, is it possible to disable the security and server checks?

[p1c2u]

Hi @LewisCowlesMotive

There's no way for now however it should be fairly easy to implement it with configuration object in place.