Ensure security object has defined rules in its array and rules are defined on securityScheme
Ensure that the security object in the OpenAPI document has defined rules in its array and that the rules are defined on the securityScheme object in the components section. The security object specifies the security or authorization protocol used when submitting requests to the API. The securityScheme object describes how each security scheme works and what parameters it expects. Having defined rules for the security object and the securityScheme object helps both humans and computers to understand how to authenticate and authorize themselves to access the API.
Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI017
REMEDIATION
Add the security object at the root level of the OpenAPI document and define one or more security requirement objects in its array. Each security requirement object contains one or more key-value pairs, where the key is the name of a security scheme defined in the components/securitySchemes section, and the value is an array of scope names required for the execution (for OAuth 2 and OpenID Connect only). For example:
security:
- app_id: []
Add the components/securitySchemes object at the root level of the OpenAPI document and define one or more security scheme objects under it. Each security scheme object has a type property that specifies the type of authentication, such as apiKey, http, oauth2, or openIdConnect. Depending on the type, other properties may be required or optional, such as name, in, scheme, flows, openIdConnectUrl, etc. For example:
components:
securitySchemes:
app_id:
type: apiKey
name: app_id
in: query
# This is a sample OpenAPI document with a security object and a components/securitySchemes object
openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://api.example.com/v1
paths:
/pets:
get:
summary: List all pets
+ # Add this section to define the global security method for the API
+ security:
+ - app_id: [] # This is an arbitrary name for this security scheme
responses:
'200':
description: A list of pets
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Pet'
default:
description: Unexpected error
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
components:
schemas:
Pet:
type: object
required:
- id
- name
properties:
id:
type: integer
format: int64
name:
type: string
tag:
type: string
Error:
type: object
required:
- code
- message
properties:
code:
type: integer
format: int32
message:
type: string
+ securitySchemes:
+ app_id:
+ type: apiKey # This is an API key based authentication
+ name: app_id # This is the name of the query parameter that contains the API key
+ in: query # This means that the API key should be passed in the query string
# for OpenAPI 2.0
swagger: '2.0'
info:
version: 1.0.0
title: Sample API
+ # Add this section to define all security schemes used by the API
+ securityDefinitions:
+ app_id:
+ type: apiKey
+ name: app_id
+ in: query
paths:
/users:
get:
summary: List all users
+ # Apply a specific security scheme to this operation
+ security:
+ - app_id: []
responses:
'200':
description: A list of users.
schema:
type: array
items:
$ref: '#/definitions/User'
Read more:
- https://swagger.io/specification/#security-requirement-object
- https://swagger.io/docs/specification/2-0/authentication/
- https://swagger.io/specification/v2/#securityRequirementObject
- https://swagger.io/specification/v2/#securityDefinitionsObject
- https://idratherbewriting.com/learnapidoc/pubapis_openapi_step6_security_object.html
Updated over 1 year ago