search

stoplightio / spectral

A flexible JSON/YAML linter for creating automated style guides, with baked in support for OpenAPI v3.1, v3.0, and v2.0 as well as AsyncAPI v2.x.
https://stoplight.io/spectral
Apache License 2.0
2.37k stars 228 forks source link

False Positive for OIDC scopes in `oas3-operation-security-defined` #2566

Open arosenb2 opened 7 months ago

arosenb2 commented 7 months ago

Describe the bug When using a security schema of type openIdConnect, scopes are being checked for being defined in the flows, but per the OpenAPI Specification, when using openIdConnect, flows is not a valid property (it should only be used with OAuth2). Therefore, the check for isScopeDefined is invalid for openIdConnect.

To Reproduce

  1. Define an operation and apply a security schema of type openIdConnect.
  2. Include a valid scope from the well-known OIDC configuration as part of the security schema reference in the operation.
  3. Observe that oas3-operation-security-defined triggered, listing "the-scope-you-included" must be listed among scopes..

Expected behavior Either OIDC provided scopes should be skipped as part of the isScopeDefined function when the security schema is of type openIdConnect. Additionally, checking for isScopeDefined could be considered a separate rule from oas3-operation-security-defined so it can be selectively ignored (suggested name: oas3-operationsecurity-scopes-defined).

Environment:

Additional context OpenAPI Specification - Security Schema Object, Reference code in the ruleset

strowk commented 4 months ago

Docs specifically say here :

Unlike OAuth 2.0, you do not need to list the available scopes in securitySchemes

I guess disabling it like this is the only option to avoid this for now: 

extends: ["spectral:oas"]
overrides:
  - rules:
      # This rule is misfiring for OIDC
      # https://github.com/stoplightio/spectral/issues/2566
      oas3-operation-security-defined: "off"
    files:
      - "**/*.yaml"