required-scheme-of-http-security-scheme
Overview
This rule belongs to the openapi-v3-standards-validation ruleset and states that:
If the security scheme type is HTTP (i.e. type is set to http), the Security Scheme Object must specify a name of the HTTP Authorization scheme to be used in the Authorization header as defined in RFC7235, using the scheme property. The value of the scheme used should be registered in the IANA Authentication Scheme registry.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Error |
| Message | Required scheme property in HTTP Security Scheme Object is missing. |
| Code | OPENAPI3STANDARDS_V415 |
| Type | Validation |
| Rule System | Semantic |
| Broad Category | Security Schemes |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic validation scheme http type security scheme security |
Suggested Fixes
- Add missing
schemeproperty in the Security Scheme Object. - Make sure that the
schemeproperty is not null or empty. - Choose a different security scheme type if HTTP Authorization scheme name is not applicable in your API authentication's 'case.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://datatracker.ietf.org/doc/html/rfc7235#section-5.1
- https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#openapi-specification
- https://docs.apimatic.io/rulesets/overview/