Swagger 2.0 's security scheme validated against OAS 3.0 instead of swagger 2.0

[shockey]

From @pbarbier on March 23, 2018 18:15

When editing a swagger 2.0 yaml content featuring oauth2 security schemes like below:

swagger: "2.0"

info:
  title: wow
  version: 1.0.0
  
paths:
  /:
    get:
      description: wow
      responses:
        200:
          description: ok

securityDefinitions:
  oauth2_Password:
    type: oauth2
    tokenUrl: /authorizationserver/oauth/token
    flow: password
    scopes:
      basic: ''
  oauth2_client_credentials:
    type: oauth2
    tokenUrl: /authorizationserver/oauth/token
    flow: application
    scopes:
      extended: ''
  apikey:
    type: apiKey
    name: myAuth
  basic:
    type: basic
    in: header

Several nonsensical errors are reported:

Structural error at securityDefinitions.oauth2_Password
should NOT have additional properties
additionalProperty: tokenUrl, flow, scopes

Structural error at securityDefinitions.oauth2_Password.type
should be equal to one of the allowed values
allowedValues: basic, apiKey

Structural error at securityDefinitions.oauth2_Password.tokenUrl
should match format "uri"
format: uri

Structural error at securityDefinitions.oauth2_Password.flow
should be equal to one of the allowed values
allowedValues: implicit, application, accessCode

Structural error at securityDefinitions.oauth2_client_credentials
should NOT have additional properties
additionalProperty: tokenUrl, flow, scopes

Structural error at securityDefinitions.oauth2_client_credentials.type
should be equal to one of the allowed values
allowedValues: basic, apiKey

Structural error at securityDefinitions.oauth2_client_credentials.tokenUrl
should match format "uri"
format: uri

Structural error at securityDefinitions.oauth2_client_credentials.flow
should be equal to one of the allowed values
allowedValues: implicit, password, accessCode

Structural error at securityDefinitions.apikey
should NOT have additional properties
additionalProperty: name

Structural error at securityDefinitions.apikey.type
should be equal to one of the allowed values
allowedValues: basic, oauth2

Structural error at securityDefinitions.basic
should NOT have additional properties
additionalProperty: in

Structural error at securityDefinitions.basic.type
should be equal to one of the allowed values
allowedValues: apiKey, oauth2

Q	A
Bug or feature request?	Bug
Which Swagger/OpenAPI version?	Swagger 2.0
Which Swagger-UI version?	3.13.0
How did you install Swagger-UI?	Use through editor.swagger.io
Which browser & version?	Chrome latest
Which operating system?	WIN10

Demonstration API definition

See above

Configuration (browser query string, constructor, config.yaml)

regular use of editor.swagger.io

Expected Behavior

No error should be shown for this part of the yaml

Current Behavior

See above

Possible Solution

Context

The error messages are misleading. They claim the content is not valid when it is.

Copied from original issue: swagger-api/swagger-ui#4364

[shockey]

@pbarbier, not quite sure what's going on here - the validator is in Swagger 2.0 mode, but the output is quite strange.

I'll look into this in the coming week. Sorry for the trouble!

[hkosova]

@pbarbier I guess the relative tokenUrl is the issue. OpenAPI 2.0 Specification does not state whether OAuth endpoints can be relative. This was clarified in OpenAPI 3.0, which explicitly supports relative URLs in tokenUrl.

cc @webron

[pbarbier]

@shockey While you're at it I have another oddity:

With:

securityDefinitions:
  oauth2:
    type: oauth2
    tokenUrl: /authorizationserver/oauth/token
    flow: password
    scopes:
      **basic: ''**

The following fires another error:

      security:
        - oauth2:
            **- basic**

The error: Security scope definition basic could not be resolved

[shockey]

@pbarbier, I've opened a PR that addresses the case you just mentioned 😄

As for the main part of this ticket, I'm going to backlog it for now, since we tend to batch schema validator fixes and this appears to be closely related to the other difficulties we're seeing at the moment.

[webron]

@hkosova is (as usual) right. Swagger/OAS2 does not allow for relative token URLs.

[vspiliopoulos]

@shockey Any plans for fixing this? I am facing the same issue as well

[anboo]

I am facing the same issue too

[arpitgarg1]

I am facing same issue. Any solution please.

[shockey]

@vspiliopoulos @anboo @arpitgarg1 - please note @webron's comment above. If you're using Swagger 2.0 and a non-absolute token/authorization URL, you should fix that!

This ticket is still open so we can fix the quality of the errors reported. If you are seeing an error, there still most likely is something wrong with your definition!