Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OAuth Flow required fields + validation

See original GitHub issue

Hi everybody,

I’m currently working on some tooling regarding OAS 3.0.0 and found a situation where I’d need some clarification. Spec defines OAuth Flow Object as an object with following fields required:

  • authorizationUrl
  • tokenUrl
  • scopes

This is crystal clear so far. Next I’m using JSON Schema provided in this repo to validate the OAS 3.0.0 definition. But looking into the JSON Schema document reveals that none of the OAuth Flow objects require above define fields to be required. Some OAuthFlow objects requires just one field, other two. I’m not sure if this is intended (for particular type of OAuth Flow to have only certain fields required) or this is something we should fixed.

Update I completely missed Applies To column of OAuth Flow Object. That clarifies things out. But scopes are required in ImplicitOAuthFlow only, even though they should be required in all flow types. In this case is the spec or the JSON Schema the source of truth?

  ImplicitOAuthFlow:
    type: object
    required:
      - authorizationUrl
      - scopes
    properties:
      authorizationUrl:
        type: string
        format: uri-reference
      refreshUrl:
        type: string
        format: uri-reference
      scopes:
        type: object
        additionalProperties:
          type: string
    patternProperties:
      '^x-': {}
    additionalProperties: false

  PasswordOAuthFlow:
    type: object
    required:
      - tokenUrl
    properties:
      tokenUrl:
        type: string
        format: uri-reference
      refreshUrl:
        type: string
        format: uri-reference
      scopes:
        type: object
        additionalProperties:
          type: string
    patternProperties:
      '^x-': {}
    additionalProperties: false

  ClientCredentialsFlow:
    type: object
    required:
      - tokenUrl
    properties:
      tokenUrl:
        type: string
        format: uri-reference
      refreshUrl:
        type: string
        format: uri-reference
      scopes:
        type: object
        additionalProperties:
          type: string
    patternProperties:
      '^x-': {}
    additionalProperties: false

  AuthorizationCodeOAuthFlow:
    type: object
    required:
      - authorizationUrl
      - tokenUrl
    properties:
      authorizationUrl:
        type: string
        format: uri-reference
      tokenUrl:
        type: string
        format: uri-reference
      refreshUrl:
        type: string
        format: uri-reference
      scopes:
        type: object
        additionalProperties:
          type: string
    patternProperties:
      '^x-': {}
    additionalProperties: false

Thanks for any clarification to this!

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:8 (8 by maintainers)

github_iconTop GitHub Comments

1reaction
MikeRalphsoncommented, Aug 26, 2021

@char0n thanks - I’m working on the GitHub action to regenerate and republish the schemas when they change but it has taken longer than expected. I’ll raise a PR to resync manually.

1reaction
char0ncommented, Aug 10, 2021

Pull request has been issued against main branch: https://github.com/OAI/OpenAPI-Specification/pull/2673

Read more comments on GitHub >

github_iconTop Results From Across the Web

Which OAuth 2.0 Flow Should I Use? - Auth0
The OAuth 2.0 Authorization Framework supports several different flows (or grants). Flow are ways of retrieving an Access Token . Deciding which one...
Read more >
Demystifying OAuth Flows - Frontegg
Demystifying OAuth Flows · 1. Authorization Code Flow · 2. Client Credentials Flow · 3. Resource Owner Password Flow · 4. Implicit Flow...
Read more >
OAuth 2.0 explained - Connect2id
It has flows for web, mobile and IoT clients, plus useful APIs for managing the ... The required token validation logic can be...
Read more >
OAuth2 Authorization Code Flow
Step 1: Create an Authorization Request · client_id — Required. The API key for your application. · redirect_uri — Required. Specify the absolute...
Read more >
RFC 6749: The OAuth 2.0 Authorization Framework
This specification replaces and obsoletes the OAuth 1.0 protocol described in ... Misuse of Access Token to Impersonate Resource Owner in Implicit Flow...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

OpenAPI 3.1 examples not validating through AJV using OpenAPI 3.1 spec

Next page

Optional and multi-segment path parameters