If securityScheme is a reference it cannot be resolved (see issue #1166, this issue still persists in V1.6.3)

[elize-vdr]

Describe the bug
This is applicable to V1.6.3.
When the securityScheme item is a reference to another securityScheme item in another file, then it cannot be resolved. I reported this bug previously but it seems to not be fixed entirely, we have 2 securityScheme items in the list and it resolves the first one but not the second. I tried to step through the code and found this:
In the class OpenApiDocument and member function ResolveReference()
line 499 this:

return this.Components.SecuritySchemes[reference.Id];

then at this point if you look into the value of this.Components.SecuritySchemes it has only the OAuth2 in the array and not also the PersonalAccessTokens, it then throws a KeyNotFoundException.

It is not entirely clear if the fact that the 2 items are references has anything to do with it or maybe there is another issue.

To Reproduce
In the main OpenApi contract document we have this

components:
  securitySchemes:
    OAuth2:
      $ref: 'common-definitions_v4.yaml#/components/securitySchemes/OAuth2'
    PersonalAccessTokens:
      $ref: 'common-definitions_v4.yaml#/components/securitySchemes/PersonalAccessTokens'

and in the common-definitions_v4.yaml we have defined

components:
  securitySchemes:
    OAuth2:
      type: oauth2
      description: OAuth2 based authentication using authorization code flow.
      flows:
        authorizationCode:
          authorizationUrl: 'https://login.democompany.com/oauth/authorize'
          tokenUrl: 'https://login.democompany.com/oauth/token'
          scopes:
            mx:datahub:services:write: Operations on resources that may create, delete or change resources.
            mx:datahub:services:read: Read-only access to resources. 
            openid: Required to access user info, must have scope for every api
            offline_access: Required to access user info, must have scope for every api
            mx:user:profile:v1:read: Required to access user info, must have scope for every api
    PersonalAccessTokens:
      type: apiKey
      in: header
      name: Authorization
      description: 'Personal access tokens for access to the Data Hub Catalog APIs; set in your [Democompany Developer Settings](https://user-settings.democompany.com/link/developersettings). Contents of the header should be ```MxToken <Your PAT>```.'

Expected behavior
When a securityScheme item is a reference to a securityScheme item in another file it should be resolved.

[elize-vdr]

I made an example, here is a primary contract file with a referenced file, the error received back is

[File: common-definitions.yaml] Invalid Reference identifier 'PersonalAccessTokens'

The primary contract file

openapi: 3.0.1
info:
  title: 'Data Hub Registration API'
  description: "This is the API description for the Data Hub. With these APIs, you can register and manage your data sources and datasets in the Data Hub."
  termsOfService: '#'
  contact:
    email: PlatformCore@DemoCompany.com
  version: '4.1.0'
externalDocs:
  description: 'Specification of this API'
  url: 'https://docs.DemoCompany.com/apidocs-mxsdk/apidocs/data-hub-apis/'
servers:
  - url: 'https://hub.DemoCompany.com/rest/registration/v4'
paths:
  /applications:
    post:
      tags:
        - Applications
      summary: 'Registers an application'
      security:
        - OAuth2: ['mx:datahub:services:write', 'openid', 'offline_access', 'mx:user:profile:v1:read']
        - PersonalAccessTokens: []
      requestBody:
          $ref: '#/components/requestBodies/Applications_POST'
      responses:
        '201':
          $ref: '#/components/responses/Applications_POST_201'
        '400':
          $ref: 'common-definitions.yaml#/components/responses/400'
        '500':
          $ref: 'common-definitions.yaml#/components/responses/500'
components:
  requestBodies:
    Applications_POST:
      description: 'Description of an application that publishes or consumes services.'
      content:
        application/json:
          schema:
            $ref: 'common-definitions.yaml#/components/schemas/Application_Base'
      required: true
  responses:
    Applications_POST_201:
      description: 'Created'
      headers:
        Location:
          schema:
            type: string
            maxLength: 400
            format: uri
          description: Location at which the newly created resource can be found.
      content:
        application/json:
          schema:
            $ref: 'common-definitions.yaml#/components/schemas/Application_Response'
  schemas:
    EndpointLocationConstant:
      type: object
      required:
        - Name
        - Value
      properties:
        Name:
          type: string
          example: 'MyFirstModule.EmployeeManagement_Location'
          description: 'Canonical name (Module.ConstantName) of the constant that holds the location of a consumed endpoint'
        Value:
          type: string
          example: 'https://hr.acmecorp.test/employeeservice/v2'
          description: 'Value of the location constant; should be a valid, absolute URL.  <br> In the metadata.json file this is the value given for the attribute DefaultValue.'
  securitySchemes:
    OAuth2:
      $ref: 'common-definitions.yaml#/components/securitySchemes/OAuth2'
    PersonalAccessTokens:
      $ref: 'common-definitions.yaml#/components/securitySchemes/PersonalAccessTokens'

The referenced file common-definitions.yaml

openapi: 3.0.1
info:
  title: 'Data Hub API Common Definitions'
  description: "These are the common definitions for the Data Hub API."
  termsOfService: '#'
  contact:
    email: application@DemoCompany.com
  version: '4.1.0'
paths:
  /services:
    post:
      tags:
        - Services
      summary: 'Registers a service'
      security:
        - OAuth2: ['mx:datahub:services:write', 'openid', 'offline_access', 'mx:user:profile:v1:read']
        - PersonalAccessTokens: []
      parameters:
        - $ref: '#/components/parameters/AppUUID_Path'
        - $ref: '#/components/parameters/ServiceName_Path'
      responses:
        '400':
          $ref: '#/components/responses/400'
        '500':
          $ref: '#/components/responses/500'
components:        
  parameters:
    AppUUID_Path:
      in: "path"
      name: "AppUUID"
      schema:
        type: string
        format: uuid
      required: true
      description: 'Valid UUID of the specified application.'
    ServiceName_Path:
      in: "path"
      name: "ServiceName"
      schema:
        type: string
        maxLength: 200
      required: true
      description: 'Name of the specified service.'
  responses:
    '400':
      description: 'Incorrect Input'
      content:
        application/json:
          schema:
            allOf:
              - $ref: '#/components/schemas/Error_Base'
              - type: object
                properties:
                  code:
                    description: 'Code describing why the request failed.'
                    example: 'INVALID_REQUEST'
                  message:
                    description: 'Message detailing the reason why the request failed. A response with HTTP status 400 indicates (some of) the provided parameters with the request are invalid.'
                    example: 'Invalid input'
    '500':
      description: 'Internal Server Error'
      content:
        application/json:
          schema:
            allOf:
              - $ref: '#/components/schemas/Error_Base'
              - type: object
                properties:
                  code:
                    description: 'Code describing why the request failed.'
                    example: 'INTERNAL_SERVER_ERROR'
                  message:
                    description: 'Message detailing the reason why the request failed. A response with HTTP status 500 indicates that an unexpected error occurred while the server was processing the request. If the problem persists you should contact DemoCompany Support.'
                    example: 'An internal server error occurred.'
  schemas:
    Owner:
      type: object
      required: 
        - Name
        - Email
      properties:
        Name: 
          type: string
          maxLength: 400
          description: Name of the owner.
          example: 'Stan Raine'
        Email:
          type: string
          maxLength: 500
          description: Email of the owner.
          example: 'stan.raine@acme.test'
        OpenID:
          type: string
          format: uri
          maxLength: 100
          description: The OpenID of the owner. Will only be available if the owner has a Mendix Platform account.
          example: 'https://mxid2.mendixcloud.com/mxid2/id?id=964fe18e-65f6-4ed2-99c3-62acee9dcdd6'         
    Application_Base:
      required:
        - Name
      properties:
        Name:
          type: string
          maxLength: 200
          example: 'AcmeHR'
          description: 'Name of the application.'
        Description:
          type: string
          maxLength: 10000
          example: 'This application is used to manage the entire HR process of AcmeCorp'
          description: 'Description of the application'
        RepositoryLocation:
          type: string
          format: uri
          maxLength: 400
          example: 'https://teamserver.sprintr.com/e0fb450a-203f-3e0a-ae3c-9cadaea00743'
          description: 'Location of the development repository of the application.'
        Type:
          type: string
          enum: [DemoCompany, Teamcenter, MindSphere, Microsoft, SAP, Opcenter, Other]
          example: 'DemoCompany'
          description: 'Type of the application, possible values are "DemoCompany", "Teamcenter", "MindSphere", "Microsoft", "SAP", "Opcenter" and "Other" (Default)'
        BusinessOwner:
          allOf:
            - $ref: '#/components/schemas/Owner'
            - type: object
              description: 'Business owner of the application.'
        TechnicalOwner:
          allOf:
            - $ref: '#/components/schemas/Owner'
            - type: object
              description: 'Technical owner of the application.'
    Application_Response:
      allOf:
        - $ref: '#/components/schemas/Application_Base'
        - type: object
          required:
            - Type
            - UUID
            - Icon
          properties:
            UUID:
              type: string
              format: uuid
              example: 'cfc36b98-7409-4384-b71d-f003b0c2f84b'
              description: 'UUID that uniquely identifies the application in the DemoCompany Platform.'
            Icon:
              type: string
              format: uri
              description: URL of the icon location
              example: 'https://cdn.DemoCompany.com/image.png'
    Error_Base:
      type: object 
      required:
        - code
        - message
      properties:
        code:
          type: string
        message:
          type: string  
  securitySchemes:
    OAuth2:
      type: oauth2
      description: OAuth2 based authentication using authorization code flow.
      flows:
        authorizationCode:
          authorizationUrl: https://login.DemoCompany.com/oauth/authorize
          tokenUrl: https://login.DemoCompany.com/oauth/token
          scopes:
            mx:datahub:services:write: Operations on resources that may create, delete or change resources.
            mx:datahub:services:read: Read-only access to resources. 
            openid: Required to access user info, must have scope for every api
            offline_access: Required to access user info, must have scope for every api
            mx:user:profile:v1:read: Required to access user info, must have scope for every api
    PersonalAccessTokens:
      type: apiKey
      in: header
      name: Authorization
      description: 'Personal access tokens for access to the Data Hub Catalog APIs; set in your [DemoCompany Developer Settings](https://user-settings.DemoCompany.com/link/developersettings). Contents of the header should be ```MxToken <Your PAT>```.'

[darrelmiller]

This should be resolved in the latest preview.