use-registered-http-security-scheme-value
Overview
This rule belongs to the openapi-v3-standards-linting
ruleset and states that:
If you have defined a security scheme of type
set as http
you also need to provide a name of the HTTP Authorization scheme using the scheme
property. The value of this HTTP security scheme should be registered in the IANA Authentication Scheme registry.
Property | Value |
---|---|
Enabled | Yes |
Maximum Severity | Warning |
Message | Unregistered HTTP security scheme detected. |
Code | OPENAPI3STANDARDS_L270 |
Type | Linting |
Rule System | Semantic |
Broad Category | Security Schemes |
Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
Tags | openapi3 openapi standards semantic linting security schemes security http iana |
Suggested Fixes
- Ensure that the scheme name you have mentioned in the
scheme
property is present in the IANA Authentication Scheme registry. - Ensure that the scheme name is not null or empty.
- The IANA Authentication Scheme registry has the following scheme names registered: Basic, Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256, vapid.
- Names are compared in a case-insensitive manner.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md
- https://docs.apimatic.io/rulesets/overview/