Using multiple security schemes does not follow OAS 3 spec

[jjcollinge]

As defined in the OAS 3 spec, you should be able to use multiple security schemes together in a few different ways:

security:    # A OR B
  - A
  - B

security:    # A AND B
  - A
    B

security:    # (A AND B) OR (C AND D)
  - A
    B
  - C
    D

I have found that when using A AND B in my OAS 3.0.3 spec that the generated postman collection only respects A and does not include B.

Below is a representative sample of my spec:

paths:
  /somepath:
    get:
      description: get something
      operationId: get something
      security:
        - bearerAuth: []
          apiKey: []

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    apiKey:
      type: apiKey
      name: x-custom-apikey
      in: header

The generated collection only includes a header for the bearerAuth security scheme and not the apiKey.

[JaredAAT]

@jjcollinge this might be related: postmanlabs/openapi-to-postman#465

i think it's an issue with the underlying postman convertor rather than with the portman library

[jjcollinge]

@JaredAAT thanks for the response. Looks like you're right, thanks for spotting that!