feat(securityscheme): add oauth2 metadata url support

mdaneri · mdaneri · commit 335cee5dece8 · 2026-01-22T09:13:17.000-08:00
diff --git a/src/Microsoft.OpenApi/Models/Interfaces/IOpenApiSecurityScheme.cs b/src/Microsoft.OpenApi/Models/Interfaces/IOpenApiSecurityScheme.cs
@@ -46,6 +46,12 @@ public interface IOpenApiSecurityScheme : IOpenApiDescribedElement, IOpenApiRead
     /// </summary>
     public Uri? OpenIdConnectUrl { get; }
 
+    /// <summary>
+    /// URL to the OAuth2 Authorization Server Metadata document (RFC 8414).
+    /// Note: This field is supported in OpenAPI 3.2.0+ only.
+    /// </summary>
+    public Uri? OAuth2MetadataUrl { get; }
+
     /// <summary>
     /// Specifies that a security scheme is deprecated and SHOULD be transitioned out of usage.
     /// Note: This field is supported in OpenAPI 3.2.0+. For earlier versions, it will be serialized as x-oai-deprecated extension.
diff --git a/src/Microsoft.OpenApi/Models/OpenApiConstants.cs b/src/Microsoft.OpenApi/Models/OpenApiConstants.cs
@@ -695,6 +695,11 @@ public static class OpenApiConstants
         /// </summary>
         public const string Flows = "flows";
 
+        /// <summary>
+        /// Field: Oauth2MetadataUrl
+        /// </summary>
+        public const string OAuth2MetadataUrl = "oauth2MetadataUrl";
+
         /// <summary>
         /// Field: OpenIdConnectUrl
         /// </summary>
diff --git a/src/Microsoft.OpenApi/Models/OpenApiSecurityScheme.cs b/src/Microsoft.OpenApi/Models/OpenApiSecurityScheme.cs
@@ -35,6 +35,9 @@ public class OpenApiSecurityScheme : IOpenApiExtensible, IOpenApiSecurityScheme
         /// <inheritdoc/>
         public Uri? OpenIdConnectUrl { get; set; }
 
+        /// <inheritdoc/>
+        public Uri? OAuth2MetadataUrl { get; set; }
+
         /// <inheritdoc/>
         public bool Deprecated { get; set; }
 
@@ -60,6 +63,7 @@ internal OpenApiSecurityScheme(IOpenApiSecurityScheme securityScheme)
             BearerFormat = securityScheme.BearerFormat ?? BearerFormat;
             Flows = securityScheme.Flows != null ? new(securityScheme.Flows) : null;
             OpenIdConnectUrl = securityScheme.OpenIdConnectUrl != null ? new Uri(securityScheme.OpenIdConnectUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
+            OAuth2MetadataUrl = securityScheme.OAuth2MetadataUrl != null ? new Uri(securityScheme.OAuth2MetadataUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
             Deprecated = securityScheme.Deprecated;
             Extensions = securityScheme.Extensions != null ? new Dictionary<string, IOpenApiExtension>(securityScheme.Extensions) : null;
         }
@@ -118,7 +122,12 @@ private void SerializeInternal(IOpenApiWriter writer, OpenApiSpecVersion version
                     break;
                 case SecuritySchemeType.OAuth2:
                     // This property apply to oauth2 type only.
+                    // oauth2MetadataUrl
                     // flows
+                    if (version >= OpenApiSpecVersion.OpenApi3_2)
+                    {
+                        writer.WriteProperty(OpenApiConstants.OAuth2MetadataUrl, OAuth2MetadataUrl?.ToString());
+                    }
                     writer.WriteOptionalObject(OpenApiConstants.Flows, Flows, callback);
                     break;
                 case SecuritySchemeType.OpenIdConnect:
diff --git a/src/Microsoft.OpenApi/Models/References/OpenApiSecuritySchemeReference.cs b/src/Microsoft.OpenApi/Models/References/OpenApiSecuritySchemeReference.cs
@@ -54,6 +54,9 @@ public string? Description
         /// <inheritdoc/>
         public Uri? OpenIdConnectUrl { get => Target?.OpenIdConnectUrl; }
 
+        /// <inheritdoc/>
+        public Uri? OAuth2MetadataUrl { get => Target?.OAuth2MetadataUrl; }
+
         /// <inheritdoc/>
         public IDictionary<string, IOpenApiExtension>? Extensions { get => Target?.Extensions; }
 
diff --git a/src/Microsoft.OpenApi/Reader/V32/OpenApiSecuritySchemeDeserializer.cs b/src/Microsoft.OpenApi/Reader/V32/OpenApiSecuritySchemeDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license. 
 
 using System;
@@ -68,6 +68,16 @@ internal static partial class OpenApiV32Deserializer
                         }
                     }
                 },
+                {
+                    "oauth2MetadataUrl", (o, n, _) =>
+                    {
+                        var metadataUrl = n.GetScalarValue();
+                        if (metadataUrl != null)
+                        {
+                            o.OAuth2MetadataUrl = new(metadataUrl, UriKind.RelativeOrAbsolute);
+                        }
+                    }
+                },
                 {
                     "flows", (o, n, t) =>
                     {
diff --git a/test/Microsoft.OpenApi.Readers.Tests/V32Tests/OpenApiSecuritySchemeTests.cs b/test/Microsoft.OpenApi.Readers.Tests/V32Tests/OpenApiSecuritySchemeTests.cs
@@ -86,6 +86,36 @@ public async Task ParseOAuth2SecuritySchemeShouldSucceed()
                 }, securityScheme);
         }
 
+        [Fact]
+        public async Task ParseOAuth2SecuritySchemeWithMetadataUrlShouldSucceed()
+        {
+            // Act
+            var securityScheme = await OpenApiModelFactory.LoadAsync<OpenApiSecurityScheme>(
+                Path.Combine(SampleFolderPath, "oauth2SecuritySchemeWithMetadataUrl.yaml"),
+                OpenApiSpecVersion.OpenApi3_2,
+                new(),
+                SettingsFixture.ReaderSettings);
+
+            // Assert
+            Assert.Equivalent(
+                new OpenApiSecurityScheme
+                {
+                    Type = SecuritySchemeType.OAuth2,
+                    OAuth2MetadataUrl = new Uri("https://idp.example.com/.well-known/oauth-authorization-server"),
+                    Flows = new OpenApiOAuthFlows
+                    {
+                        ClientCredentials = new OpenApiOAuthFlow
+                        {
+                            TokenUrl = new Uri("https://idp.example.com/oauth/token"),
+                            Scopes = new System.Collections.Generic.Dictionary<string, string>
+                            {
+                                ["scope:one"] = "Scope one"
+                            }
+                        }
+                    }
+                }, securityScheme);
+        }
+
         [Fact]
         public async Task ParseOpenIdConnectSecuritySchemeShouldSucceed()
         {
diff --git a/test/Microsoft.OpenApi.Readers.Tests/V32Tests/Samples/OpenApiSecurityScheme/oauth2SecuritySchemeWithMetadataUrl.yaml b/test/Microsoft.OpenApi.Readers.Tests/V32Tests/Samples/OpenApiSecurityScheme/oauth2SecuritySchemeWithMetadataUrl.yaml
@@ -0,0 +1,8 @@
+# https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.2.0.md#securitySchemeObject
+type: oauth2
+oauth2MetadataUrl: https://idp.example.com/.well-known/oauth-authorization-server
+flows:
+  clientCredentials:
+    tokenUrl: https://idp.example.com/oauth/token
+    scopes:
+      scope:one: Scope one
diff --git a/test/Microsoft.OpenApi.Tests/Models/OpenApiSecuritySchemeTests.cs b/test/Microsoft.OpenApi.Tests/Models/OpenApiSecuritySchemeTests.cs
@@ -93,6 +93,24 @@ public class OpenApiSecuritySchemeTests
             }
         };
 
+        private static OpenApiSecurityScheme OAuth2MetadataSecurityScheme => new()
+        {
+            Description = "description1",
+            Type = SecuritySchemeType.OAuth2,
+            OAuth2MetadataUrl = new("https://idp.example.com/.well-known/oauth-authorization-server"),
+            Flows = new()
+            {
+                ClientCredentials = new()
+                {
+                    TokenUrl = new("https://idp.example.com/oauth/token"),
+                    Scopes = new Dictionary<string, string>
+                    {
+                        ["scope:one"] = "Scope one"
+                    }
+                }
+            }
+        };
+
         private static OpenApiSecurityScheme OpenIdConnectSecurityScheme => new()
         {
             Description = "description1",
@@ -257,6 +275,61 @@ public async Task SerializeOAuthSingleFlowSecuritySchemeAsV3JsonWorks()
             Assert.Equal(expected, actual);
         }
 
+                [Fact]
+                public async Task SerializeOAuthSecuritySchemeWithMetadataUrlAsV32JsonWorks()
+                {
+                        // Arrange
+                        var expected =
+                                """
+                                {
+                                    "type": "oauth2",
+                                    "description": "description1",
+                                    "oauth2MetadataUrl": "https://idp.example.com/.well-known/oauth-authorization-server",
+                                    "flows": {
+                                        "clientCredentials": {
+                                            "tokenUrl": "https://idp.example.com/oauth/token",
+                                            "scopes": {
+                                                "scope:one": "Scope one"
+                                            }
+                                        }
+                                    }
+                                }
+                                """;
+
+                        // Act
+                        var actual = await OAuth2MetadataSecurityScheme.SerializeAsJsonAsync(OpenApiSpecVersion.OpenApi3_2);
+
+                        // Assert
+                        Assert.True(JsonNode.DeepEquals(JsonNode.Parse(expected), JsonNode.Parse(actual)));
+                }
+
+                [Fact]
+                public async Task SerializeOAuthSecuritySchemeWithMetadataUrlAsV31JsonOmitsMetadataUrl()
+                {
+                        // Arrange
+                        var expected =
+                                """
+                                {
+                                    "type": "oauth2",
+                                    "description": "description1",
+                                    "flows": {
+                                        "clientCredentials": {
+                                            "tokenUrl": "https://idp.example.com/oauth/token",
+                                            "scopes": {
+                                                "scope:one": "Scope one"
+                                            }
+                                        }
+                                    }
+                                }
+                                """;
+
+                        // Act
+                        var actual = await OAuth2MetadataSecurityScheme.SerializeAsJsonAsync(OpenApiSpecVersion.OpenApi3_1);
+
+                        // Assert
+                        Assert.True(JsonNode.DeepEquals(JsonNode.Parse(expected), JsonNode.Parse(actual)));
+                }
+
         [Fact]
         public async Task SerializeOAuthMultipleFlowSecuritySchemeAsV3JsonWorks()
         {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) Microsoft Corporation. All rights reserved.`
	`1`	`+// Copyright (c) Microsoft Corporation. All rights reserved.`
`2`	`2`	`// Licensed under the MIT license.`
`3`	`3`
`4`	`4`	`using System;`
`@@ -68,6 +68,16 @@ internal static partial class OpenApiV32Deserializer`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`	`},`
	`71`	`+ {`
	`72`	`+ "oauth2MetadataUrl", (o, n, _) =>`
	`73`	`+ {`
	`74`	`+ var metadataUrl = n.GetScalarValue();`
	`75`	`+ if (metadataUrl != null)`
	`76`	`+ {`
	`77`	`+ o.OAuth2MetadataUrl = new(metadataUrl, UriKind.RelativeOrAbsolute);`
	`78`	`+ }`
	`79`	`+ }`
	`80`	`+ },`
`71`	`81`	`{`
`72`	`82`	`"flows", (o, n, t) =>`
`73`	`83`	`{`