search

italia / api-oas-checker

An OpenAPI 3 checker based on spectral.
https://italia.github.io/api-oas-checker/
59 stars 23 forks source link

OAuth2 Rules #318

Open codedust opened 3 years ago

codedust commented 3 years ago

Some suggestions for additional rules: If OAuth is used, an authorizationUrl, tokenUrl (depending on the OAuth flow) and a refreshUrl as well as scopes should be specified (see https://swagger.io/docs/specification/authentication/oauth2/).

The URLs must use https://.

ioggstream commented 3 years ago

Thanks @codedust!

I think that the current spectral 5.x ruleset checks that:

  1. clientCredentials flow has tokenUrl but not authorizationUrl
  2. authorizationCode flow has both tokenUrl and authorizationUrl

afaik:

  1. refreshUrl is optional

I don't know whether scope is mandatory or not. WDYT? Thanks again for your feedback!

PS: I tested with the following snippet in the webui

components:
  securitySchemes:
    oauth2sample:
      type: oauth2
      flows: 
        clientCredentials:
          tokenUrl: https://oauth/token
          authorizationUrl: https://oauth/authorize  # <----- complains about invalid authorizationUrl wrt clientCredentials
        authorizationCode:  # <----- complains about missing authorizationUrl
          tokenUrl: https://oauth/token   

openapi: 3.0.1
info:
  title: bza
  version: 1.0.0
  contact:
    email: a@b.it
  description: ciao
  x-summary: bzad
  x-api-id: rbas
  termsOfService: http://foo
servers:
- url: https://foo
  description: bar
tags:
- name: a
  description: a
paths: {}