OAuth2 password flow in security definitions for OpenAPI 2.0 file
Description
This policy is specifically geared towards ensuring the security of OpenAPI documents for APIs, specifically for those using OAuth2 authentication in version 2.0 files. The policy checks for the presence of 'password' flow. The usage of 'password' flow allows direct usage of usernames and passwords to obtain access tokens, circumventing stronger methods of authentication. This leaves user credentials, and by extension your API, more susceptible to cyber threats, hence it is not recommended. The policy aims to flag this as an issue in order to maintain the best security practices.
Code Example
securitySchemes:
OauthSecurityScheme:
type: oauth2
flows:
authorizationCode:
tokenUrl: https://authorization-server.com/token
scopes:
read: Grants read access
write: Grants write accessRemediation
OpenAPI
To fix this issue, you need to change the OAuth2 authentication flow. Instead of using 'password' flow, try using 'authorizationCode' or 'implicit' flow. This is a more secure way to handle authentication.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1267 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_11 |