API spec includes a 'password' flow in OAuth2 authentication
Description
This policy evaluates if 'password' flow is being used in OAuth2 authentication specifically for version 2.0 files. The 'password' flow, also known as the Resource Owner Password Credentials flow, is generally not secure. It involves providing the user's credentials (username and password) directly to the client, which then exchanges these for an access token. This method can expose user credentials to a potentially malicious client, creating a significant security risk. Therefore, it is not recommended to use the 'password' flow in OAuth2 authentication unless it's assumed that the client is highly trustworthy.
Code Example
components:
securitySchemes:
OAuth2:
type: oauth2
flows:
implicit:
authorizationUrl: http://api.example.com/auth
scopes:
read: Grants read access
write: Grants write access
authorizationCode:
authorizationUrl: http://api.example.com/auth
tokenUrl: http://api.example.com/token
scopes:
admin: Grants access to admin operationsRemediation
OpenAPI
To fix this issue, you need to modify the specification of your OAuth2 authentication to not use 'password' flow. This is because 'password' flow of OAuth2 authentication is less secure compared to other flows like 'authorization_code', 'implicit', etc.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1264 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_8 |