- New top-level field - `webhooks`. This allows describing out-of-band webhooks that are available as part of the API.
- New top-level field - `jsonSchemaDialect`. This allows defining of a default `$schema` value for Schema Objects
- The Info Object has a new `summary` field.
- The License Object now has a new `identifier` field for SPDX licenses. This `identifier` field is mutually exclusive with the `url` field. Either can be used in OpenAPI 3.1 definitions.
- Components Object now has a new entry `pathItems`, to allow for reusable Path Item Objects to be defined within a valid OpenAPI document.
- `License` and `Contact` components are now exported and available via `getComponent`
- New version predicates and selectors for `isOpenAPI30` and `isOpenAPI31`. This avoids needing to change the usage of `isOAS3` selector.
- New OAS3 components: `Webhooks`
- New OAS3 wrapped components: `Info`, `License`
* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
* 'available authorization' popup: only show oauth2 scopes relevant for current endpoint (issue #8219)
* unit tests for oauth2 scope filter
Co-authored-by: Kai Morich <kai.morich@sap.com>
Co-authored-by: Tim Lai <timothy.lai@smartbear.com>
