The security requirement is not an OAuth2 requirement and must not define OAuth2 scopes

Description

The security requirement in question defines OAuth2 scopes. However, it is not an OAuth2 security requirement, and thus must not define OAuth2 scopes.

Example

The following is an examlpe of how this issue could look in your API definition.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": ["readOnly"]
    }
  ],
  ...
}

Remediation

Make sure that only OAuth2 security requirements define OAuth2 scopes.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
     }
   },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy