forked from italia/api-oas-checker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
oauth2.yml
50 lines (46 loc) · 1.64 KB
/
oauth2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
rules:
# OAuth2 specific
sec-securitySchemes-oauth-http:
description: |-
OAuth2 endpoints must use `https://`
message: >-
OAuth endpoints must use https://
formats:
- oas3
severity: error
recommended: true
given:
- >-
$..[securitySchemes][?(@ && @.type=="oauth2")][*].[?(@property && @property.match(/Url$/i))]
then:
- field: value
function: pattern
functionOptions:
match: >-
^https://
sec-securitySchemes-oauth-allowed-flows:
description: |-
The OAuth2 authorization framework defines various
[grant types](https://tools.ietf.org/html/rfc6749#section-1.3),
most notably the [AuthorizationCode](https://tools.ietf.org/html/rfc6749#section-1.3.1)
and the [Client Credentials](https://tools.ietf.org/html/rfc6749#section-1.3.4).
Some grant types are now considered insecure
and MUST not be used, including `implicit` and `password`.
The new [OAuth2.1](https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01)
still in draft, removes them and suggests to
replace the `implicit` with `authorizationCode` + PKCE defined in RFC7636.
For further info, see the OAuth2 section of [API Security Guidelines](https://docs.italia.it/AgID/documenti-in-consultazione/lg-sicurezza-interoperabilita-docs/).
message: >-
Do not use oauth2 insecure flow: "{{property}}".
formats:
- oas3
severity: error
recommended: true
given:
- >-
$..[?(@ && @.type=="oauth2")].flows
then:
- field: implicit
function: falsy
- field: password
function: falsy