Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/oas.md
Original file line number Diff line number Diff line change
Expand Up @@ -4577,6 +4577,7 @@ Defines a security scheme that can be used by the operations.

Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), OAuth2 device authorization flow as defined in [RFC8628](https://tools.ietf.org/html/rfc8628), and [[OpenID-Connect-Core]].
Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE.
For requests between pre-integrated business systems, SAML 2.0 Bearer flow as defined in [RFC7522, section 2.1](https://tools.ietf.org/html/rfc7522#section-2.1) is an alternative that avoids the need for explicit consent by the user.

#### Fixed Fields

Expand Down Expand Up @@ -4651,6 +4652,7 @@ Allows configuration of the supported OAuth Flows.
| <a name="oauth-flows-password"></a>password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow |
| <a name="oauth-flows-client-credentials"></a>clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. |
| <a name="oauth-flows-authorization-code"></a>authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. |
| <a name="oauth-flows-saml2-bearer"></a>saml2Bearer | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth SAML 2.0 Bearer flow. |
| <a name="oauth-flows-device-authorization"></a>deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. |

This object MAY be extended with [Specification Extensions](#specification-extensions).
Expand All @@ -4665,7 +4667,7 @@ Configuration details for a supported OAuth Flow
| ---- | :----: | ---- | ---- |
| <a name="oauth-flow-authorization-url"></a>authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
| <a name="oauth-flow-device-authorization-url"></a>deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
| <a name="oauth-flow-token-url"></a>tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
| <a name="oauth-flow-token-url"></a>tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"saml2Bearer"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
| <a name="oauth-flow-refresh-url"></a>refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
| <a name="oauth-flow-scopes"></a>scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. |

Expand Down
19 changes: 19 additions & 0 deletions src/schemas/validation/schema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1037,6 +1037,8 @@ $defs:
$ref: '#/$defs/oauth-flows/$defs/client-credentials'
authorizationCode:
$ref: '#/$defs/oauth-flows/$defs/authorization-code'
saml2Bearer:
$ref: '#/$defs/oauth-flows/$defs/saml2-bearer'
deviceAuthorization:
$ref: '#/$defs/oauth-flows/$defs/device-authorization'
$ref: '#/$defs/specification-extensions'
Expand Down Expand Up @@ -1115,6 +1117,23 @@ $defs:
$ref: '#/$defs/specification-extensions'
unevaluatedProperties: false

saml2-bearer:
type: object
properties:
tokenUrl:
type: string
format: uri-reference
refreshUrl:
type: string
format: uri-reference
scopes:
$ref: '#/$defs/map-of-strings'
required:
- tokenUrl
- scopes
$ref: '#/$defs/specification-extensions'
unevaluatedProperties: false

device-authorization:
type: object
properties:
Expand Down