OAS3 Rule: Ensure that securitySchemes match defined scopes

[Amachua]

User stories.

1. As an API Designer, when I define a security scope on an endpoint, then I want it to be defined in the securitySchemes.

2. As an API Designer, when I define the security scopes in the securitySchemes, then I want them to be defined at least on one endpoint.

Is your feature request related to a problem?

When making an update in one place, it happens that the designer do forget to make the update on the two places and that can be an issue for our end consumer.

Describe the solution you'd like

Consider the following OpenAPI specification:

openapi: 3.0.0

info:
  title: Dummy title
  description: Dummy description
  version: 1.0.0

paths:
  /resources:
    get:
      description: Dummy description
      responses:
        "200":
          description: All is good
      security:
        - dummy_auth:
            - urn:my.dummy.scope.read_only
            - urn:my.precious.dummy.scope.read_only

components:
  securitySchemes:
    dummy_auth:
      type: oauth2
      flows:
        implicit:
          authorizationUrl: https://auth.com
          scopes:
            urn:my.dummy.scope.read_only: Right to read.
            urn.my.precious.scope.read_only: Right to read.

With the following specification, I would like to have in output for the first User Story something like:

The scope urn:my.precious.dummy.scope.read_only is not defined in the security definition

And with the second User Story

The scope urn.my.precious.scope.read_only is not defined on any endpoint.

Is my description clear? If not, I'll be glad to provide more information on that topic. :)

[philsturgeon]

Yeah I get it! They've written a scope in which was never actually defined anywhere. Sounds like a handy rule to add!

[suihanki]

+1 to this! just spent some time trying to see if there was a sneaky way to do this with the schema or schemaPath option, but not without a custom function I believe.