The security requirement is not an OAuth2 requirement and must not define OAuth2 scopes

Description

The security requirement in question defines OAuth2 scopes. However, it is not an OAuth2 security requirement, and thus must not define OAuth2 scopes.

This applies only to the OpenAPI Specification (OAS) v2. For more details, see the OAS.

Example

The following is an example of how this issue could look in your API definition.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": ["readOnly"]
    }
  ],
  ...
}

Remediation

Make sure that only OAuth2 security requirements define OAuth2 scopes.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
     }
   },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy