no-oauth2-implicit-flow-usage
Overview
This rule belongs to the openapi-v3-standards-linting ruleset and states that:
As of 2020, the OAuth 2.0 implicit flow is about to be deprecated by OAuth 2.0 Security Best Current Practice. Therefore, using the implicit flow in an OAuth Flows Object of a oauth2 security scheme is not recommended.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Information |
| Message | Usage of OAuth 2.0 implicit flow found. |
| Code | OPENAPI3STANDARDS_L271 |
| Type | Linting |
| Rule System | Semantic |
| Broad Category | Security Schemes |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic linting implicit oauth 2.0 oauth flow security schemes security |
Suggested Fixes
- Avoid using
implicitflow in your OAuth 2.0 flow definition unless you are aware of the risks.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#oauth-flows-object
- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
- https://docs.apimatic.io/rulesets/overview/