OAuth2 Rules

[codedust]

Some suggestions for additional rules: If OAuth is used, an authorizationUrl, tokenUrl (depending on the OAuth flow) and a refreshUrl as well as scopes should be specified (see https://swagger.io/docs/specification/authentication/oauth2/).

The URLs must use https://.

[ioggstream]

Thanks @codedust!

I think that the current spectral 5.x ruleset checks that:

1. clientCredentials flow has tokenUrl but not authorizationUrl
2. authorizationCode flow has both tokenUrl and authorizationUrl

afaik:

3. refreshUrl is optional

I don't know whether scope is mandatory or not. WDYT? Thanks again for your feedback!

PS: I tested with the following snippet in the webui

components:
  securitySchemes:
    oauth2sample:
      type: oauth2
      flows: 
        clientCredentials:
          tokenUrl: https://oauth/token
          authorizationUrl: https://oauth/authorize  # <----- complains about invalid authorizationUrl wrt clientCredentials
        authorizationCode:  # <----- complains about missing authorizationUrl
          tokenUrl: https://oauth/token   
          
openapi: 3.0.1
info:
  title: bza
  version: 1.0.0
  contact:
    email: [email protected]
  description: ciao
  x-summary: bzad
  x-api-id: rbas
  termsOfService: http://foo
servers:
- url: https://foo
  description: bar
tags:
- name: a
  description: a
paths: {}