Skip to content

feat: add support for OAuth clientCredential and password flows in Respect core#2824

Open
harshit078 wants to merge 23 commits into
Redocly:mainfrom
harshit078:Add-support-for-clientCredential
Open

feat: add support for OAuth clientCredential and password flows in Respect core#2824
harshit078 wants to merge 23 commits into
Redocly:mainfrom
harshit078:Add-support-for-clientCredential

Conversation

@harshit078

@harshit078 harshit078 commented May 19, 2026

Copy link
Copy Markdown
Contributor

What/Why/How?

  • Added the OAuth2 token exchange for x-security schemes with the password and clientCredentials flows.
  • Respect now fetches the access token from tokenUrl and apply Authorization: Bearer to the request, which allows to manually obtain a accessToken

Reference

#2122

Testing

Screenshots (optional)

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

Note

High Risk
Changes authentication behavior: credentials are sent to external tokenUrl endpoints and tokens are injected into requests; incomplete validation could leak calls with secrets before exchange fails.

Overview
Respect can automatically obtain OAuth2 access tokens for Arazzo x-security when schemes declare clientCredentials or password flows, then send Authorization: Bearer on workflow requests. A new exchangeOAuth2Token helper POSTs to tokenUrl (Basic auth or clientAuthMethod: body), caches tokens on TestContext with expiry refresh, and registers secrets for masking.

resolveXSecurityParameters is now async (including prepareRequest); it validates credentials, exchanges when appropriate, and still skips the token endpoint if a non-empty accessToken is already set. Runtime validation and the x-security-scheme-required-values lint rule no longer treat OAuth2 as always requiring accessToken—they require clientId/clientSecret or username/password per flow (or accessToken for implicit-only / manual use). Empty accessToken falls back to flow credentials.

Tests cover exchange, cache expiry, pre-fetched tokens, and lint cases. A changeset marks minor bumps for @redocly/respect-core, @redocly/openapi-core, and @redocly/cli.

Reviewed by Cursor Bugbot for commit 912da7e. Bugbot is set up for automated code reviews on this repo. Configure here.

@changeset-bot

changeset-bot Bot commented May 19, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 912da7e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/respect-core Minor
@redocly/openapi-core Minor
@redocly/cli Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@harshit078 harshit078 marked this pull request as ready for review May 26, 2026 09:51
@harshit078 harshit078 requested review from a team as code owners May 26, 2026 09:51
Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts Outdated
Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts
Comment thread packages/core/src/rules/async3/security-defined.ts
Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a98fd8c. Configure here.

Comment thread packages/respect-core/src/utils/oauth2/exchange-oauth2-token.ts
@harshit078

Copy link
Copy Markdown
Contributor Author

Hey @DmitryAnansky , can you take review the PR please ? Thanks !

@github-actions

Copy link
Copy Markdown
Contributor

Performance Benchmark (Lower is Faster)

CLI Version Bundle Lint Check Config
cli-latest ▓ 1.01x ± 0.01 ▓ 1.00x (Fastest) ▓ 1.01x ± 0.01
cli-next ▓ 1.00x (Fastest) ▓ 1.00x ± 0.01 ▓ 1.00x (Fastest)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant