Open codedust opened 3 years ago
Thanks @codedust!
I think that the current spectral 5.x ruleset checks that:
clientCredentials
flow has tokenUrl
but not authorizationUrl
authorizationCode
flow has both tokenUrl
and authorizationUrl
afaik:
refreshUrl
is optionalI don't know whether scope
is mandatory or not. WDYT? Thanks again for your feedback!
PS: I tested with the following snippet in the webui
components:
securitySchemes:
oauth2sample:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://oauth/token
authorizationUrl: https://oauth/authorize # <----- complains about invalid authorizationUrl wrt clientCredentials
authorizationCode: # <----- complains about missing authorizationUrl
tokenUrl: https://oauth/token
openapi: 3.0.1
info:
title: bza
version: 1.0.0
contact:
email: a@b.it
description: ciao
x-summary: bzad
x-api-id: rbas
termsOfService: http://foo
servers:
- url: https://foo
description: bar
tags:
- name: a
description: a
paths: {}
Some suggestions for additional rules: If OAuth is used, an
authorizationUrl
,tokenUrl
(depending on the OAuth flow) and arefreshUrl
as well asscopes
should be specified (see https://swagger.io/docs/specification/authentication/oauth2/).The URLs must use
https://
.