Bravado fails to parse Security Definitions in OSS projects

[asmfreak]

I'm using two open source projects. Namely - Grocy and Gitea, which have their respective specifications hosted on demo instances.
I tried to user their API via open-cli, which in turn uses Bravado. I'm using Arch Linux:

Python 3.7.4 (default, Oct  4 2019, 06:57:26) 
[GCC 9.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import bravado
>>> bravado.version
'10.3.2'

I've got this output running the following command for Grocy:
open-cli --verbose https://en.demo.grocy.info/api/openapi/specification.
It is complaining about security parameters.

I've nearly the same output for Gitea (complaining about SecurityParameters also). I can't seem to get deom's spec for Gitea, so I'm attaching swagger file for it.

I want to understand - is this an issue with Bravado or respective projects I'm using (and their respective methods of api generation)?

[macisamuele]

@asmfreak Thanks for reporting the issue.
Something that I would highlight is that the specifications in https://en.demo.grocy.info/api/openapi/specification are Open Api specifications, while bravado does support Swagger 2.0 .

Checking the output linked for Gitea I notice that the endpoint /users/{username}/tokens/{token} does have a token path parameter, but all the endpoints have the Token security definition.
This means that the endpoint has 2 token parameters (one in the path and one in the query).

This is not an issue on the Swagger specification but rather an issue/limitation within the bravado library as it does not support multiple parameters with the same name on different location.
Honestly I have no good idea to work this around ;(