OAuth2 Rules

Question

OAuth2 Rules

codedust opened this issue 3 years ago · comments

Some suggestions for additional rules: If OAuth is used, an authorizationUrl, tokenUrl (depending on the OAuth flow) and a refreshUrl as well as scopes should be specified (see https://swagger.io/docs/specification/authentication/oauth2/).

The URLs must use https://.

Roberto Polli · Answer 1 · Wed Sep 01 2021 17:48:12 GMT+0800 (China Standard Time)

Thanks @codedust!

I think that the current spectral 5.x ruleset checks that:

clientCredentials flow has tokenUrl but not authorizationUrl
authorizationCode flow has both tokenUrl and authorizationUrl

afaik:

refreshUrl is optional

I don't know whether scope is mandatory or not. WDYT? Thanks again for your feedback!

PS: I tested with the following snippet in the webui

components:
  securitySchemes:
    oauth2sample:
      type: oauth2
      flows: 
        clientCredentials:
          tokenUrl: https://oauth/token
          authorizationUrl: https://oauth/authorize  # <----- complains about invalid authorizationUrl wrt clientCredentials
        authorizationCode:  # <----- complains about missing authorizationUrl
          tokenUrl: https://oauth/token   
          
openapi: 3.0.1
info:
  title: bza
  version: 1.0.0
  contact:
    email: a@b.it
  description: ciao
  x-summary: bzad
  x-api-id: rbas
  termsOfService: http://foo
servers:
- url: https://foo
  description: bar
tags:
- name: a
  description: a
paths: {}