Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tokenUrl doesn't permit for relative references in OAS 3.1 #2635

Closed
saturna opened this issue Jun 8, 2024 · 2 comments · Fixed by #2652
Closed

tokenUrl doesn't permit for relative references in OAS 3.1 #2635

saturna opened this issue Jun 8, 2024 · 2 comments · Fixed by #2652
Labels
help wanted Extra attention is needed OpenAPI Issues related to the OpenAPI ruleset p/medium released t/bug Something isn't working triaged

Comments

@saturna
Copy link

saturna commented Jun 8, 2024

Describe the bug
In OAS 3.0 tokenUrl was of uri-reference type but in 3.1 it seemed to be switched back to uri
As per OAS 3.1 documentation tokenUrl should be of type URL and as per section Relative References in URLs:

Unless specified otherwise, all properties that are URLs MAY be relative references as defined by [RFC3986].
RFC-3986 section 4.2 link

I'm assuming that tokenUrl should in fact permit relative paths and default to a baseURL as defined by the Server Object

This would make sense because using tools such as editor-next.swagger.io, Authorize button should allow for baseUrl selection from the Servers drop-down. If tokenUrl cannot use relative paths, it will not work with this drop-down.
image

To Reproduce

  • define a security schema as follows using openapi: 3.1.0 header:
  securitySchemes:
    Oauth2:
      type: oauth2
      description: Oauth 2.0 application authentication
      flows:
        clientCredentials:
          tokenUrl: /oauth2/token
  • Attempt to use spectral to validate this schema with spectral:oas rule.
  • Schema validation will fail with:
error  oas3-schema  "Oauth2" property must not have unevaluated properties.  components.securitySchemes.Oauth2
error  oas3-schema  "tokenUrl" property must match format "uri".             components.securitySchemes.Oauth2.flows.clientCredentials.tokenUrl

Expected behavior
Spectral validation should pass and allow for relative URLs

Environment (remove any that are not applicable):

  • Library version: 6.11.1
  • OS: MacOS Sonoma 14.4
  • Browser: [N/A]
@daniel-white daniel-white added t/bug Something isn't working help wanted Extra attention is needed p/medium triaged OpenAPI Issues related to the OpenAPI ruleset labels Jun 14, 2024
@daniel-white
Copy link

this definitely seems to be a bug. we would welcome a PR as rulesets are pretty straight forward to change. thanks!

@stoplight-bot
Copy link
Collaborator

🎉 This issue has been resolved in version 1.20.1 🎉

The release is available on @stoplight/spectral-rulesets-1.20.1

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed OpenAPI Issues related to the OpenAPI ruleset p/medium released t/bug Something isn't working triaged
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants