Question from GSMA Coordinated Vulnerability Disclosure Programme - OAuth2.0 and use of brackets in specifications

Roger Brown <RBrown@...>



Please let me introduce myself. I am Roger Brown and I manage the Coordinated Vulnerability Disclosure programme within the GSMA. The programme offers an avenue for researchers to disclose Telco industry vulnerabilities. We then work with the industry to develop fixes and mitigations to protect the industry and its customers. We have recently received an OAuth2.0 vulnerability and we hoped someone at OpenApi might be able to assist with a couple of questions regarding your specifications:


The openAPI specification contains the following statements:

1) "To make security optional, an empty security requirement ({}) can be included in the array.", and

2) "When a list of Security Requirement Objects is defined on the OpenAPI Object or Operation Object, only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request."


We have a question about the meaning of the word optional here: In the language defining an API in a 3GPP specification, "optional use of OAuth" means that use of OAuth shall be controlled by a policy at deployment time; but if the policy at deployment time says it shall be used, then it becomes mandatory for all calls to the API.


So the question is how the corresponding .yaml file for the API specification within the standard would express this kind of optionality. Would it be correct to add the empty security requirement to the API specification ({}), as one could interpret from the quote 1)? Or would the presence of ({}) mean, that during runtime even requests without any token would be authorized as quote 2) from above would seem to imply?


Many thanks for any assistance you can offer. If this has been sent to the wrong email account, please could you advise who would be best to contact.



Kind Regards,

Roger Brown




Roger Brown

Security Services Manager




Join to automatically receive all group messages.