Token URL of the OAuth2 security scheme is not a proper URL

Issue ID: v3-global-securityscheme-oauth2-tokenurl

Average severity: Medium


The URL you have entered in the tokenUrl field of the OAuth2 security scheme is not a proper URL. The OpenAPI Specification (OAS) requires that all URLs in the API contract must be proper URLs in a valid format.

For more details, see the OpenAPI Specification.

Possible exploit scenario

Depending on the underlying library used, your API consumer might be redirected to nefarious sites when parsing non-standard URLs.

In addition, TLS certificates use the URL's host name to validate that the presented certificate matches the host that was contacted. An invalid host name could potentially scupper this validation. A badly encoded URL could be used as an attack vector when decoding the resource path.


Make sure that all URLs in your API are proper URLs and have a valid format.