Consider `oauth2` or `openIdConnect` authentication over HTTP `basic` auth

[DavidBiesack]

Thank you for offering a new example for OpenAPI!

It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure.
I recommend revising the Museum OpenAPI example to use a more secure security scheme.

1. use oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
2. change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
3. operations that require write access should not use the default security, but use an explicit operation-level security requirement with write or other scope.

[adamaltman]

It would be nice if we mocked this too.