The security scheme is not an OAuth2 scheme and must not define OAuth2 scopes

Description

The security scheme in question defines OAuth2 scopes. However, it is not an OAuth2 security scheme, and thus must not define OAuth2 scopes.

Example

The following is an example how this issue could look in your API definition. The security scheme for the security requirement regularSecurity defines scopes but the authentication type is basic:

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
      "scopes": {
         "readOnly": "read objects in your account"
      },
    }
  },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Remediation

Make sure that only OAuth2 security schemes define OAuth2 scopes.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
     }
   },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy