empty-security-requirement-property-array-for-non-oauth2-non-open-id-connect-schemes
Overview
This rule belongs to the openapi-v3-standards-validation ruleset and states that:
In an OpenAPI v3.0.x document, the Security Requirement Object property value allows specifying scope values for OAuth 2.0 and OpenId Connect security schemes. For all other security scheme types (i.e. for type not set as oauth2 or openIdConnect), the property value must be set as an empty array.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Error |
| Message | Security requirement value is not an empty array. |
| Code | OPENAPI3STANDARDS_V451 |
| Type | Validation |
| Rule System | Semantic |
| Broad Category | Security Requirements |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic validation scopes oauth 2.0 openid connect security schemes security requirement security |
Suggested Fixes
- Set the security requirement property value as an empty array i.e. remove any items included in the array.
- If you want to add scope values in the array, make sure that the security scheme you are applying using the security requirement property is of type
oauth2oropenIdConnect. - The array can only contain scope values for OAuth 2.0 and OpenId Connect security schemes and should not contain any other type of data.
- Security roles specific data can only be added for OpenAPI 3.1.x documents.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-requirement-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#openapi-specification
- https://docs.apimatic.io/rulesets/overview/