no refreshurl for client credentials flow in auth2 (#66)

client credentials flow, there are no refresh url. and https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3 states that "a refresh token SHOULD NOT be included" in client credentials flow of auth2 and so there would be no point of a refresh url truth check. This change will check for refresh url in all auth2 flow except client credentials flow Co-authored-by: Nauman <[email protected]>
stoplightio · Sep 13, 2024 · 26819e8 · 26819e8
1 parent 4d934c1
commit 26819e8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -269,7 +269,7 @@ export default {
       description:
         "Using short-lived access tokens is a good practice, and when using OAuth 2 this is done by using refresh tokens. If a malicious actor is able to get hold of an access token then rotation means that token might not work by the time they try to use it, or it could at least reduce how long they are able to perform malicious requests.",
       severity: DiagnosticSeverity.Error,
-      given: ['$.components.securitySchemes[?(@ && @.type=="oauth2")].flows.*'],
+      given: '$.components.securitySchemes[?(@ && @.type=="oauth2")].flows[?(@property != "clientCredentials")]',
       then: [
         {
           field: "refreshUrl",