stoplightio
False Positive for OIDC scopes in `oas3-operation-security-defined`
Describe the bug
When using a security schema of type openIdConnect, scopes are being checked for being defined in the flows, but per the OpenAPI Specification, when using openIdConnect, flows is not a valid property (it should only be used with OAuth2). Therefore, the check for isScopeDefined is invalid for openIdConnect.
To Reproduce
- Define an operation and apply a security schema of type
openIdConnect. - Include a valid scope from the well-known OIDC configuration as part of the security schema reference in the operation.
- Observe that
oas3-operation-security-definedtriggered, listing"the-scope-you-included" must be listed among scopes..
Expected behavior
Either OIDC provided scopes should be skipped as part of the isScopeDefined function when the security schema is of type openIdConnect. Additionally, checking for isScopeDefined could be considered a separate rule from oas3-operation-security-defined so it can be selectively ignored (suggested name: oas3-operationsecurity-scopes-defined).
Environment:
- Library version: 6.11.0
Additional context OpenAPI Specification - Security Schema Object, Reference code in the ruleset
Docs specifically say here :
Unlike OAuth 2.0, you do not need to list the available scopes in securitySchemes
I guess disabling it like this is the only option to avoid this for now:
extends: ["spectral:oas"]
overrides:
- rules:
# This rule is misfiring for OIDC
# https://github.com/stoplightio/spectral/issues/2566
oas3-operation-security-defined: "off"
files:
- "**/*.yaml"
