Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OAuth 2 flow with empty scopes produces invalid specification
See original GitHub issueAccording to the OpenApi specification, it is possible to specify an OAuth 2 security scheme without specifying any scopes. In this case, the specification should contain scopes: {}. See https://swagger.io/docs/specification/authentication/oauth2/.
I have used the follow configuration for the security scheme but the scopes object is removed:
settings.GeneratorSettings.DocumentProcessors.Add(
new SecurityDefinitionAppender("oauth2", new OpenApiSecurityScheme
{
Description = "My oauth flow",
Type = OpenApiSecuritySchemeType.OAuth2,
Flow = OpenApiOAuth2Flow.Password,
TokenUrl = "api/token",
Scopes = new Dictionary<string, string>(),
}));
The resulting section in the swagger.json looks like this:
"securitySchemes": {
"oauth2": {
"type": "oauth2",
"description": My oauth flow",
"flows": {
"password": {
"tokenUrl": "api/token"
}
}
}
}
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Possible Errors - OAuth 2.0 Simplified
If the redirect URL provided is invalid, the authorization server ... invalid_scope : The requested scope is invalid, unknown, or malformed.
Read more >Working with OAuth2 scopes | Apigee Edge
This topic discusses how to use OAuth 2.0 scopes on Apigee Edge. ... When Edge generates an access token, it may assign a...
Read more >OAuth 2.0
Scopes are access rights that control whether the credentials a user provides allow to perform the needed call to the resource server. They...
Read more >Working with OAuth2 scopes | Apigee
When Apigee generates an access token, it may assign a scope to that token. To understand how this happens, you must first be...
Read more >RFC 6749 - The OAuth 2.0 Authorization Framework
This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. Status of This Memo This is an Internet Standards Track...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think there could be a “converter” which hides empty collection which might affect this one…
This one? https://github.com/RicoSuter/NJsonSchema/blob/master/src/NJsonSchema/Infrastructure/IgnoreEmptyCollectionsContractResolver.cs
Is the “scopes” required according to specs? If yes we should set it to required in the attribute: https://github.com/RicoSuter/NSwag/blob/master/src/NSwag.Core/OpenApiOAuthFlow.cs#L30 so that the resolver above does not “hide” it…
Yes, it is: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#oauth-flow-object
I’m running into this, too. I’m working with my API in Postman. Postman validates the OpenAPI definition and is complaining about the missing
scopesproperty.I setup a sample here to check serialization. With default serialization setting, the
NSwag.OpenApiOAuthFlow.Scopesproperty renders correctly as an empty object.Could the problem be a serializer setting or logic decision that is preventing the empty Scopes dictionary from being serialized?