OAuth2 security definitions includes password flow in OpenAPI 2.0 file
Description
This policy is looking for instances in API definitions where the 'password' flow is being used in OAuth2 authentication, specifically within version 2.0 files. The 'password' flow, also known as the resource owner password credentials grant, could potentially place the application at a higher risk as it involves sharing the user's password with the client application. If not managed securely, it could lead to unauthorized access or data breaches. Therefore, it's recommended to use more secure methods of authentication to protect sensitive information.
Code Example
components:
securitySchemes:
OAuth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://example.com/oauth2/default/v1/token
scopes:
'read:apps': read your applications
authorization_code:
authorizationUrl: https://example.com/oauth2/default/v1/authorize
tokenUrl: https://example.com/oauth2/default/v1/token
scopes:
'read:apps': read your applicationsRemediation
OpenAPI
To fix this issue, you should avoid using 'password' flow in OAuth2 authentication when defining your OpenAPI objects. The password flow is less secure because it involves sharing password credentials directly to the client-side application. Instead, consider using a more secure flow like 'authorization_code' flow or 'client_credentials' flow.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1266 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_10 |