OAuth 1.0 authentication used
Issue ID: v3-global-securityrequirement-http-oauth1
Average severity: Medium
Description
The API uses OAuth 1.0 as the authentication method.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. Here, the authentication method is specified as OAuth 1.0:
{
"servers": [
{
"url": "https://my.api.server.com/",
"description": "API server"
}
],
// ...
"components": {
"securitySchemes": {
"OAuth1": {
"type": "http",
"scheme": "oauth"
}
}
},
// ...
"security": [
{
"OAuth1": []
}
]
}Possible exploit scenario
OAuth 1.0 has been deprecated and replaced by OAuth 2.0. See RFC 6749.
Remediation
Use a more secure authentication method, like OAuth 2.0. It uses access tokens with limited lifetime and authorizations (the scopes) granted that the resource owner grants from an authorization server.
An API operation can be consumed only if the request includes an access token and the scopes of the token match the scopes that the API operation requires. Even if attackers successfully retrieved access tokens, they can only use the token on a subset of the API operation and for a limited time.
{
"servers": [
{
"url": "https://my.api.server.com/",
"description": "API server"
}
],
// ...
"components": {
"securitySchemes": {
"OAuth2": {
"type": "oauth2",
"flows": {
"authorizationCode": {
"scopes": {
"write": "modify objects in your account",
"read": "read objects in your account"
},
"authorizationUrl": "https://example.com/oauth/authorize",
"tokenUrl": "https://example.com/oauth/token"
}
}
}
}
},
// ...
"security": [
{
"OAuth2": [
"write",
"read"
]
}
]
}