Operation Objects Uses 'Implicit' Flow
Description
This policy is checking for the usage of 'implicit' flow in operation objects within OpenAPI 2.0 files. The 'implicit' flow is an authorization method used in OpenAPI operations which has since been deprecated due to inherent security vulnerabilities. It relies on redirection-based flows that make an application more susceptible to access and refresh token interception. When these tokens are stolen, a malicious actor can impersonate a user and conduct activities without consent. Therefore, using a more secure method like 'authorization code' flow is recommended, which adds an additional layer of security and prevents direct exposure of tokens. The policy thus helps in maintaining good API security practices in the OpenAPI specifications.
Code Example
openapi: "3.0.0"
info:
version: 1.0.0
title: Swagger Petstore
servers:
- url: http://petstore.swagger.io/v1
paths:
/pets:
get:
summary: List all pets
operationId: listPets
responses:
'200':
description: An paged array of pets
security:
- petstore_auth:
- 'read:pets'
components:
securitySchemes:
petstore_auth: # arbitrary name for the security scheme
type: oauth2
flows:
authorizationCode: # OAuth flow
authorizationUrl: https://example.com/api/oauth/dialog
tokenUrl: https://example.com/api/oauth/token
scopes:
'read:pets': read your pets
'write:pets': modify pets in your accountRemediation
OpenAPI
To fix the issue pointed out by this Checkov policy, you should update your API authorization procedure from the deprecated 'implicit' flow to another supported authorization flow such as 'authorizationCode' flow.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1270 |
| Severity | MEDIUM |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_14 |