api-oas-checker icon indicating copy to clipboard operation
api-oas-checker copied to clipboard

Published 20 hours ago verified publisher icon italia

OAuth2 Rules

Open codedust opened this issue 3 years ago • 1 comments

Some suggestions for additional rules: If OAuth is used, an authorizationUrl, tokenUrl (depending on the OAuth flow) and a refreshUrl as well as scopes should be specified (see https://swagger.io/docs/specification/authentication/oauth2/).

The URLs must use https://.

codedust avatar Aug 20 '21 14:08 codedust

Thanks @codedust!

I think that the current spectral 5.x ruleset checks that:

  1. clientCredentials flow has tokenUrl but not authorizationUrl
  2. authorizationCode flow has both tokenUrl and authorizationUrl

afaik:

  1. refreshUrl is optional

I don't know whether scope is mandatory or not. WDYT? Thanks again for your feedback!

PS: I tested with the following snippet in the webui

components:
  securitySchemes:
    oauth2sample:
      type: oauth2
      flows: 
        clientCredentials:
          tokenUrl: https://oauth/token
          authorizationUrl: https://oauth/authorize  # <----- complains about invalid authorizationUrl wrt clientCredentials
        authorizationCode:  # <----- complains about missing authorizationUrl
          tokenUrl: https://oauth/token   
          
openapi: 3.0.1
info:
  title: bza
  version: 1.0.0
  contact:
    email: [email protected]
  description: ciao
  x-summary: bzad
  x-api-id: rbas
  termsOfService: http://foo
servers:
- url: https://foo
  description: bar
tags:
- name: a
  description: a
paths: {}

ioggstream avatar Sep 01 '21 09:09 ioggstream