required-oauth2-flow-scopes
Overview
This rule belongs to the openapi-v3-standards-validation ruleset and states that:
For all flow types, the OAuth Flow Object must specify the available scopes for the OAuth2 security scheme token URL, using the scopes property.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Error |
| Message | Required scopes property in OAuth Flow Object is missing. |
| Code | OPENAPI3STANDARDS_V442 |
| Type | Validation |
| Rule System | Semantic |
| Broad Category | OAuth 2.0 Flows |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic validation scopes oauth2 flows type security scheme security |
Suggested Fixes
- Add missing
scopesproperty in the OAuth Flow Object. - Make sure that the
scopesproperty is not set as null. - If you are unsure about the scopes to add, you can simply add the
scopesproperty in the OAuth Flow Object and declare it as an empty object e.g. scopes: {}
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#oauth-flow-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#oauth-flows-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#oauth-flow-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#oauth-flows-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#openapi-specification
- https://docs.apimatic.io/rulesets/overview/