stoplightio
OAS3 Rule: Ensure that securitySchemes match defined scopes
User stories.
-
As an API Designer, when I define a security scope on an endpoint, then I want it to be defined in the securitySchemes.
-
As an API Designer, when I define the security scopes in the securitySchemes, then I want them to be defined at least on one endpoint.
Is your feature request related to a problem?
When making an update in one place, it happens that the designer do forget to make the update on the two places and that can be an issue for our end consumer.
Describe the solution you'd like
Consider the following OpenAPI specification:
openapi: 3.0.0
info:
title: Dummy title
description: Dummy description
version: 1.0.0
paths:
/resources:
get:
description: Dummy description
responses:
"200":
description: All is good
security:
- dummy_auth:
- urn:my.dummy.scope.read_only
- urn:my.precious.dummy.scope.read_only
components:
securitySchemes:
dummy_auth:
type: oauth2
flows:
implicit:
authorizationUrl: https://auth.com
scopes:
urn:my.dummy.scope.read_only: Right to read.
urn.my.precious.scope.read_only: Right to read.
With the following specification, I would like to have in output for the first User Story something like:
The scope urn:my.precious.dummy.scope.read_only is not defined in the security definition
And with the second User Story
The scope urn.my.precious.scope.read_only is not defined on any endpoint.
Is my description clear? If not, I'll be glad to provide more information on that topic. :)
Yeah I get it! They've written a scope in which was never actually defined anywhere. Sounds like a handy rule to add!
+1 to this! just spent some time trying to see if there was a sneaky way to do this with the schema or schemaPath option, but not without a custom function I believe.
