diff --git a/src/oas.md b/src/oas.md index d5b3645174..9857df38ac 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4577,6 +4577,7 @@ Defines a security scheme that can be used by the operations. Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), OAuth2 device authorization flow as defined in [RFC8628](https://tools.ietf.org/html/rfc8628), and [[OpenID-Connect-Core]]. Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE. +For requests between pre-integrated business systems, SAML 2.0 Bearer flow as defined in [RFC7522, section 2.1](https://tools.ietf.org/html/rfc7522#section-2.1) is an alternative that avoids the need for explicit consent by the user. #### Fixed Fields @@ -4651,6 +4652,7 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | +| saml2Bearer | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth SAML 2.0 Bearer flow. | | deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -4665,7 +4667,7 @@ Configuration details for a supported OAuth Flow | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"saml2Bearer"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 702e73c11e..f6b37f2c0f 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -1037,6 +1037,8 @@ $defs: $ref: '#/$defs/oauth-flows/$defs/client-credentials' authorizationCode: $ref: '#/$defs/oauth-flows/$defs/authorization-code' + saml2Bearer: + $ref: '#/$defs/oauth-flows/$defs/saml2-bearer' deviceAuthorization: $ref: '#/$defs/oauth-flows/$defs/device-authorization' $ref: '#/$defs/specification-extensions' @@ -1115,6 +1117,23 @@ $defs: $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + saml2-bearer: + type: object + properties: + tokenUrl: + type: string + format: uri-reference + refreshUrl: + type: string + format: uri-reference + scopes: + $ref: '#/$defs/map-of-strings' + required: + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + device-authorization: type: object properties: