Security requirement is not an OAuth2 requirement and must not define OAuth2 scopes
Issue ID: semantic-securityrequirement-nonoauth2scopes
Description
The security requirement in question defines OAuth2 scopes. However, it is not an OAuth2 security requirement, and thus must not define OAuth2 scopes.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this issue could look in your API definition:
{
"schemes": [
"https"
],
// ...
"securityDefinitions": {
"regularSecurity": {
"type": "basic"
}
},
// ...
"security": [
{
"regularSecurity": ["readOnly"]
}
]
// ...
}
Remediation
Make sure that only OAuth2 security requirements define OAuth2 scopes.
{
"schemes": [
"https"
],
// ...
"securityDefinitions": {
"regularSecurity": {
"type": "basic"
}
},
// ...
"security": [
{
"regularSecurity": []
}
]
// ...
}