use-registered-http-security-scheme-value
Overview
This rule belongs to the openapi-v3-standards-linting ruleset and states that:
If you have defined a security scheme of type set as http you also need to provide a name of the HTTP Authorization scheme using the scheme property. The value of this HTTP security scheme should be registered in the IANA Authentication Scheme registry.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Warning |
| Message | Unregistered HTTP security scheme detected. |
| Code | OPENAPI3STANDARDS_L270 |
| Type | Linting |
| Rule System | Semantic |
| Broad Category | Security Schemes |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic linting security schemes security http iana |
Suggested Fixes
- Ensure that the scheme name you have mentioned in the
schemeproperty is present in the IANA Authentication Scheme registry. - Ensure that the scheme name is not null or empty.
- The IANA Authentication Scheme registry has the following scheme names registered: Basic, Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256, vapid.
- Names are compared in a case-insensitive manner.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
- https://docs.apimatic.io/rulesets/overview/