The ‘security’ section references a security scheme not defined in the ‘securityDefinitions’

Description

A security requirement in the security section contains a reference to a security scheme that is not defined in the API.

The security section specifies what kind of authentication your API requires, either on global level for the whole API or for individual API operations.

For more details, see the OAS v2 or OAS v3.

Example

The following is an example how this could look in your API definition.

OAS v2:

The security section references an OAuth security scheme, but this scheme has not been defined in securityDefinitions:

"schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": [],
      "OAuth2": [ "readOnly" ]
    }
  ],
  ...
}

OAS v3:

The security section references an OAuth security scheme, but this scheme has not been defined in #/components/securitySchemes:

...
{
	"security": [
		{
			"regularSecurity": [],
			"OAuth2": [ "readOnly" ]
		}
	]
}
...
{
	"servers": [
		{
			"url": "http://my.api.server.com/",
			"description": "API server"
		}
	]
}
...  
{
	"components": {
		"securitySchemes": {
			"regularSecurity": {
				"type": "http",
				"scheme": "basic"
			}
		}
	}
}

Remediation

Make sure that all security schemes that the  security section  references are defined.

OAS v2:

"schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
     "OAuth2": {
       "type": "oauth2",
       "flow": "accessCode",
       "scopes": {
        ...
     },
  ...
  "security": [
    {
      "regularSecurity": []
      "OAuth2": [ "readOnly" ]
    }
  ],
  ...
}

OAS v3:

...
{
	"security": [
		{
			"regularSecurity": [],
			"OAuth2": [ "readOnly" ]
		}
	]
}
...
{
	"servers": [
		{
			"url": "http://my.api.server.com/",
			"description": "API server"
		}
	]
}
...  
{
	"components": {
		"securitySchemes": {
			"regularSecurity": {
				"type": "http",
				"scheme": "basic"
			},
			"OAuth2": {
				"type": "oauth2",
				"flows": {
					"authorizationCode": {
						"scopes": {
							"readOnly": "read objects in your account"
						},
						"authorizationUrl": "https://example.com/oauth/authorize",
						"tokenUrl": "https://example.com/oauth/token", 
					}
				}
			}
		}
	}
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy