Skip to content

feat: add support for OAuth clientCredential and password flows in Respect core#2824

Open
harshit078 wants to merge 11 commits into
Redocly:mainfrom
harshit078:Add-support-for-clientCredential
Open

feat: add support for OAuth clientCredential and password flows in Respect core#2824
harshit078 wants to merge 11 commits into
Redocly:mainfrom
harshit078:Add-support-for-clientCredential

Conversation

@harshit078
Copy link
Copy Markdown
Contributor

@harshit078 harshit078 commented May 19, 2026
edited by cursor Bot
Loading

What/Why/How?

Reference

#2122

Testing

Screenshots (optional)

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

Note

High Risk
Changes authentication behavior: Respect performs live token requests using user-supplied secrets and updates required credential rules for OAuth2, which affects security-sensitive workflow execution.

Overview
Respect now supports OAuth2 clientCredentials and password flows on Arazzo x-security: when no accessToken is supplied, it POSTs to the scheme’s tokenUrl, caches tokens on TestContext.oauth2TokenCache, and sends Authorization: Bearer on workflow requests. Pre-supplied accessToken values skip the token call.

Linting and runtime validation no longer treat every OAuth2 scheme as requiring only accessToken. Required x-security.values depend on the declared flow (clientId/clientSecret, username/password, or accessToken for other flows). resolveXSecurityParameters is async end-to-end (including prepare-request).

A new exchange-oauth2-token helper handles grant types, optional scope, Basic vs body client auth (clientAuthMethod), secret masking, and errors. Tests cover exchange, caching, and lint rule cases. A changeset marks minor releases for @redocly/respect-core, @redocly/openapi-core, and @redocly/cli. The diff also adds an AsyncAPI 3 security-defined rule module under packages/core/src/rules/async3/.

Reviewed by Cursor Bugbot for commit 9de2521. Bugbot is set up for automated code reviews on this repo. Configure here.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 19, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 9de2521

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/respect-core Minor
@redocly/openapi-core Minor
@redocly/cli Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@harshit078 harshit078 marked this pull request as ready for review May 26, 2026 09:51
@harshit078 harshit078 requested review from a team as code owners May 26, 2026 09:51
cursor[bot]
cursor Bot reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 5 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts
clientId ?? '',
flow === 'password' ? (values.username ?? '') : '',
scope ?? '',
].join('|');
Copy link
Copy Markdown

@cursor cursor Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OAuth cache ignores secret

High Severity

The OAuth2 token cache key omits clientSecret, password, and clientAuthMethod. This can cause tokens fetched with different credentials or authentication methods to be incorrectly reused throughout the run, potentially sending invalid Authorization headers.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Comment thread packages/core/src/rules/respect/x-security-scheme-required-values.ts
if (flows?.password) {
return ['username', 'password'];
}
return ['accessToken'];
Copy link
Copy Markdown

@cursor cursor Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lint ignores password flow choice

Medium Severity

When an OAuth2 scheme defines both clientCredentials and password flows, getOAuth2RequiredValues incorrectly prioritizes clientCredentials. This causes false-positive lint errors by requiring clientId and clientSecret even when username and password are valid for the password flow at runtime.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Comment thread packages/core/src/rules/respect/x-security-scheme-required-values.ts
): readonly string[] {
if (values && 'accessToken' in values) {
return ['accessToken'];
}
Copy link
Copy Markdown

@cursor cursor Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty accessToken skips lint checks

Medium Severity

The OAuth2 linter checks for the presence of an accessToken key in x-security.values but doesn't validate its truthiness. This allows empty or falsy accessToken values to pass lint, leading to runtime failures when a valid token is required for authentication or token exchange.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts
return { flow: 'clientCredentials', config: flows.clientCredentials };
}
if (flows.password && (values.username || values.password)) {
return { flow: 'password', config: flows.password };
Copy link
Copy Markdown

@cursor cursor Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Password grant mis-selected with clientId

High Severity

When an OAuth2 scheme declares both clientCredentials and password, pickOAuth2ExchangeableFlow chooses client credentials whenever clientId or clientSecret appears in values, even if username and password are also present. Respect then runs the wrong grant and ignores the user credentials.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Comment thread packages/core/src/rules/async3/security-defined.ts
}
},
};
};
Copy link
Copy Markdown

@cursor cursor Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused Async3 SecurityDefined rule

Low Severity

This commit adds SecurityDefined under packages/core/src/rules/async3/security-defined.ts, but it is not imported or registered in packages/core/src/rules/async3/index.ts, so the new rule never runs and adds dead maintenance surface unrelated to OAuth2 Respect work.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9de2521. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harshit078