Improve OAuth2 scopes handling in OpenAPI (#3775)

nolannbiron · web-flow · commit 2c3066e3ae12 · 2025-10-30T15:46:29.000+01:00
diff --git a/.changeset/sunny-cobras-feel.md b/.changeset/sunny-cobras-feel.md
@@ -0,0 +1,6 @@
+---
+'@gitbook/react-openapi': patch
+'gitbook': patch
+---
+
+Improve OAuth2 scopes handling in OpenAPI
diff --git a/packages/gitbook/src/components/DocumentView/OpenAPI/style.css b/packages/gitbook/src/components/DocumentView/OpenAPI/style.css
@@ -34,7 +34,7 @@
 
 .openapi-deprecated,
 .openapi-stability {
-    @apply py-0.5 px-1.5 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
+    @apply py-0.5 px-1.5 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-sm text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
 }
 
 .openapi-stability-alpha {
@@ -72,7 +72,7 @@
 }
 
 .openapi-markdown code {
-    @apply py-px px-1 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded   text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
+    @apply py-px px-1 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
 }
 
 .openapi-markdown pre code {
@@ -95,7 +95,7 @@
 /* Method Tags */
 .openapi-method,
 .openapi-statuscode {
-    @apply rounded uppercase font-mono items-center shrink-0 font-semibold text-[0.813rem] px-1 py-0.5 mr-2 text-tint-12/8 leading-tight align-middle inline-flex ring-1 ring-inset ring-tint-12/1 dark:ring-tint-1/1 whitespace-nowrap;
+    @apply rounded straight-corners:rounded-none circular-corners:rounded-md uppercase font-mono items-center shrink-0 font-semibold text-[0.813rem] px-1 py-0.5 mr-2 text-tint-12/8 leading-tight align-middle inline-flex ring-1 ring-inset ring-tint-12/1 dark:ring-tint-1/1 whitespace-nowrap;
 }
 
 .openapi-method-get,
@@ -270,11 +270,11 @@
 }
 
 .openapi-schema-enum-value:first-child {
-    @apply rounded-l ml-0;
+    @apply rounded-l straight-corners:rounded-none circular-corners:rounded-l-md ml-0;
 }
 
 .openapi-schema-enum-value:last-child {
-    @apply rounded-r;
+    @apply rounded-r straight-corners:rounded-none circular-corners:rounded-r-md;
 }
 
 /* Schema Description */
@@ -308,7 +308,7 @@
 .openapi-schema-pattern code,
 .openapi-schema-enum-value code,
 .openapi-schema-default code {
-    @apply py-px px-1 min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint-subtle bg-tint rounded text-xs leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
+    @apply py-px px-1 min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint-subtle bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-xs leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;
 }
 
 /* Authentication */
@@ -325,6 +325,10 @@
     @apply prose *:!prose-sm *:text-tint;
 }
 
+.openapi-securities-oauth-content {
+    @apply flex flex-col gap-1 mt-1;
+}
+
 .openapi-securities-oauth-content.openapi-markdown code {
     @apply text-xs;
 }
@@ -334,7 +338,7 @@
 }
 
 .openapi-securities-url {
-    @apply ml-0.5 px-0.5 rounded hover:bg-tint transition-colors;
+    @apply ml-0.5 px-0.5 rounded straight-corners:rounded-none circular-corners:rounded-md hover:bg-tint dark:hover:bg-tint-hover transition-colors;
 }
 
 .openapi-securities-body {
@@ -478,7 +482,7 @@
 }
 
 .openapi-path-variable {
-    @apply p-px min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded text-sm leading-none before:content-none! after:!content-none;
+    @apply p-px min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-sm leading-none before:content-none! after:!content-none;
 }
 
 .openapi-path-server {
@@ -601,8 +605,8 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-select > button {
-    @apply flex items-center font-normal cursor-pointer *:truncate gap-1.5 p-1.5 border border-tint-subtle text-tint-strong rounded leading-none;
-    @apply hover:bg-tint-hover transition-all;
+    @apply flex items-center font-normal cursor-pointer *:truncate gap-1.5 p-1.5 border border-tint-subtle text-tint-strong rounded straight-corners:rounded-none circular-corners:rounded-md leading-none;
+    @apply hover:bg-tint dark:hover:bg-tint-hover transition-all;
 }
 
 .openapi-select:not(.openapi-select-unstyled) > button {
@@ -634,7 +638,7 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-select-popover {
-    @apply min-w-32 z-10 max-w-[max(20rem,var(--trigger-width))] overflow-x-hidden max-h-52 overflow-y-auto p-1.5 border border-tint-subtle bg-tint-base backdrop-blur-xl rounded-md circular-corners:rounded-xl straight-corners:rounded-none;
+    @apply min-w-32 z-10 max-w-[max(20rem,var(--trigger-width))] overflow-x-hidden max-h-52 overflow-y-auto p-1.5 border border-tint-subtle bg-tint-base backdrop-blur-xl rounded-md straight-corners:rounded-none circular-corners:rounded-xl;
     @apply shadow-md shadow-tint-12/1 dark:shadow-tint-1/1;
 }
 
@@ -647,7 +651,7 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-select-item {
-    @apply text-sm flex items-center cursor-pointer px-1.5 overflow-hidden py-1 text-tint ring-0 border-none rounded !outline-none;
+    @apply text-sm flex items-center cursor-pointer px-1.5 overflow-hidden py-1 text-tint ring-0 border-none rounded straight-corners:rounded-none circular-corners:rounded-md !outline-none;
     @apply hover:bg-tint-hover hover:theme-gradient:bg-tint-12/1 hover:text-tint-strong contrast-more:hover:ring-1 contrast-more:hover:ring-inset contrast-more:hover:ring-current;
 }
 
@@ -743,7 +747,7 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-tabs-tab {
-    @apply hover:bg-primary-hover whitespace-nowrap font-mono font-normal tabular-nums hover:text-primary cursor-pointer transition-all relative text-[0.813rem] text-tint px-1 border border-transparent rounded;
+    @apply hover:bg-primary-hover whitespace-nowrap font-mono font-normal tabular-nums hover:text-primary cursor-pointer transition-all relative text-[0.813rem] text-tint px-1 border border-transparent rounded straight-corners:rounded-none circular-corners:rounded-md;
 }
 
 .openapi-tabs-tab[aria-selected="true"] {
@@ -814,12 +818,12 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-schemas-disclosure > .openapi-disclosure-trigger {
-    @apply flex items-center font-mono transition-all font-normal text-tint-strong !text-sm hover:bg-tint-subtle relative flex-1 gap-2.5 p-5 truncate -outline-offset-1;
+    @apply flex items-center font-mono transition-all font-normal text-tint-strong !text-sm hover:bg-tint-subtle dark:hover:bg-tint-hover relative flex-1 gap-2.5 p-5 truncate -outline-offset-1;
 }
 
 .openapi-schemas-disclosure > .openapi-disclosure-trigger,
 .openapi-schemas-disclosure .openapi-disclosure-panel {
-    @apply straight-corners:!rounded-none;
+    @apply straight-corners:!rounded-none circular-corners:!rounded-md;
 }
 
 .openapi-disclosure-panel {
@@ -847,7 +851,7 @@ body:has(.openapi-select-popover) {
         .openapi-schema-alternatives .openapi-disclosure,
         .openapi-schemas-disclosure .openapi-schema.openapi-disclosure
     ) {
-    @apply rounded-xl;
+    @apply rounded-xl straight-corners:rounded-none;
 }
 
 .openapi-disclosure .openapi-schemas-disclosure .openapi-schema.openapi-disclosure {
@@ -997,8 +1001,8 @@ body:has(.openapi-select-popover) {
 }
 
 .openapi-path-copy-button {
-    @apply p-1 flex rounded-md;
-    @apply hover:bg-tint;
+    @apply p-1 flex rounded-md straight-corners:rounded-none;
+    @apply hover:bg-tint dark:hover:bg-tint-hover;
 }
 
 .openapi-path-copy-button-icon {
diff --git a/packages/react-openapi/src/OpenAPISecurities.tsx b/packages/react-openapi/src/OpenAPISecurities.tsx
@@ -138,7 +138,7 @@ function getLabelForType(security: OpenAPICustomSecurityScheme, context: OpenAPI
 
 function OpenAPISchemaOAuth2Flows(props: {
     context: OpenAPIClientContext;
-    security: OpenAPIV3.OAuth2SecurityScheme & { required?: boolean };
+    security: OpenAPICustomSecurityScheme & { flows?: OpenAPIV3.OAuth2SecurityScheme['flows'] };
 }) {
     const { context, security } = props;
 
@@ -167,15 +167,16 @@ function OpenAPISchemaOAuth2Item(props: {
     >];
     name: string;
     context: OpenAPIClientContext;
-    security: OpenAPIV3.OAuth2SecurityScheme & { required?: boolean };
+    security: OpenAPICustomSecurityScheme & { flows?: OpenAPIV3.OAuth2SecurityScheme['flows'] };
 }) {
     const { flow, context, security, name } = props;
 
     if (!flow) {
         return null;
     }
 
-    const scopes = flow.scopes ? Object.entries(flow.scopes) : [];
+    // If the security scheme has scopes, we don't need to display the scopes from the flow
+    const scopes = !security.scopes?.length && flow.scopes ? Object.entries(flow.scopes) : [];
 
     return (
         <div>
diff --git a/packages/react-openapi/src/resolveOpenAPIOperation.ts b/packages/react-openapi/src/resolveOpenAPIOperation.ts
@@ -158,15 +158,22 @@ function resolveSecurityScopes({
     securityScheme?: OpenAPIV3.ReferenceObject | OpenAPIV3.SecuritySchemeObject;
     operationScopes?: string[];
 }): OpenAPISecurityScope[] | null {
-    if (
-        !securityScheme ||
-        checkIsReference(securityScheme) ||
-        isOAuthSecurityScheme(securityScheme)
-    ) {
+    if (!operationScopes?.length || !securityScheme || checkIsReference(securityScheme)) {
         return null;
     }
 
-    return operationScopes?.map((scope) => [scope, undefined]) || [];
+    // If the security scheme is an OAuth or OpenID Connect security scheme, we first check if the operation scopes are defined in the security scheme
+    if (isOAuthSecurityScheme(securityScheme)) {
+        const flows = securityScheme.flows ? Object.entries(securityScheme.flows) : [];
+
+        return flows.flatMap(([_, flow]) => {
+            return Object.entries(flow.scopes ?? {}).filter(([scope]) =>
+                operationScopes.includes(scope)
+            );
+        });
+    }
+
+    return operationScopes.map((scope) => [scope, undefined]);
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@`
`34`	`34`
`35`	`35`	`.openapi-deprecated,`
`36`	`36`	`.openapi-stability {`
`37`		`- @apply py-0.5 px-1.5 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
	`37`	`+ @apply py-0.5 px-1.5 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-sm text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`.openapi-stability-alpha {`
`@@ -72,7 +72,7 @@`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`.openapi-markdown code {`
`75`		`- @apply py-px px-1 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
	`75`	`+ @apply py-px px-1 min-w-[1.625rem] font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-sm leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`.openapi-markdown pre code {`
`@@ -95,7 +95,7 @@`
`95`	`95`	`/* Method Tags */`
`96`	`96`	`.openapi-method,`
`97`	`97`	`.openapi-statuscode {`
`98`		`- @apply rounded uppercase font-mono items-center shrink-0 font-semibold text-[0.813rem] px-1 py-0.5 mr-2 text-tint-12/8 leading-tight align-middle inline-flex ring-1 ring-inset ring-tint-12/1 dark:ring-tint-1/1 whitespace-nowrap;`
	`98`	`+ @apply rounded straight-corners:rounded-none circular-corners:rounded-md uppercase font-mono items-center shrink-0 font-semibold text-[0.813rem] px-1 py-0.5 mr-2 text-tint-12/8 leading-tight align-middle inline-flex ring-1 ring-inset ring-tint-12/1 dark:ring-tint-1/1 whitespace-nowrap;`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`.openapi-method-get,`
`@@ -270,11 +270,11 @@`
`270`	`270`	`}`
`271`	`271`
`272`	`272`	`.openapi-schema-enum-value:first-child {`
`273`		`- @apply rounded-l ml-0;`
	`273`	`+ @apply rounded-l straight-corners:rounded-none circular-corners:rounded-l-md ml-0;`
`274`	`274`	`}`
`275`	`275`
`276`	`276`	`.openapi-schema-enum-value:last-child {`
`277`		`- @apply rounded-r;`
	`277`	`+ @apply rounded-r straight-corners:rounded-none circular-corners:rounded-r-md;`
`278`	`278`	`}`
`279`	`279`
`280`	`280`	`/* Schema Description */`
`@@ -308,7 +308,7 @@`
`308`	`308`	`.openapi-schema-pattern code,`
`309`	`309`	`.openapi-schema-enum-value code,`
`310`	`310`	`.openapi-schema-default code {`
`311`		`- @apply py-px px-1 min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint-subtle bg-tint rounded text-xs leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
	`311`	`+ @apply py-px px-1 min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint-subtle bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-xs leading-[calc(max(1.20em,1.25rem))] before:content-none! after:!content-none;`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`/* Authentication */`
`@@ -325,6 +325,10 @@`
`325`	`325`	`@apply prose :!prose-sm :text-tint;`
`326`	`326`	`}`
`327`	`327`
	`328`	`+.openapi-securities-oauth-content {`
	`329`	`+ @apply flex flex-col gap-1 mt-1;`
	`330`	`+}`
	`331`	`+`
`328`	`332`	`.openapi-securities-oauth-content.openapi-markdown code {`
`329`	`333`	`@apply text-xs;`
`330`	`334`	`}`
`@@ -334,7 +338,7 @@`
`334`	`338`	`}`
`335`	`339`
`336`	`340`	`.openapi-securities-url {`
`337`		`- @apply ml-0.5 px-0.5 rounded hover:bg-tint transition-colors;`
	`341`	`+ @apply ml-0.5 px-0.5 rounded straight-corners:rounded-none circular-corners:rounded-md hover:bg-tint dark:hover:bg-tint-hover transition-colors;`
`338`	`342`	`}`
`339`	`343`
`340`	`344`	`.openapi-securities-body {`
`@@ -478,7 +482,7 @@`
`478`	`482`	`}`
`479`	`483`
`480`	`484`	`.openapi-path-variable {`
`481`		`- @apply p-px min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded text-sm leading-none before:content-none! after:!content-none;`
	`485`	`+ @apply p-px min-w-[1.625rem] text-tint-strong font-normal w-fit justify-center items-center ring-1 ring-inset ring-tint bg-tint rounded straight-corners:rounded-none circular-corners:rounded-md text-sm leading-none before:content-none! after:!content-none;`
`482`	`486`	`}`
`483`	`487`
`484`	`488`	`.openapi-path-server {`
`@@ -601,8 +605,8 @@ body:has(.openapi-select-popover) {`
`601`	`605`	`}`
`602`	`606`
`603`	`607`	`.openapi-select > button {`
`604`		`- @apply flex items-center font-normal cursor-pointer *:truncate gap-1.5 p-1.5 border border-tint-subtle text-tint-strong rounded leading-none;`
`605`		`- @apply hover:bg-tint-hover transition-all;`
	`608`	`+ @apply flex items-center font-normal cursor-pointer *:truncate gap-1.5 p-1.5 border border-tint-subtle text-tint-strong rounded straight-corners:rounded-none circular-corners:rounded-md leading-none;`
	`609`	`+ @apply hover:bg-tint dark:hover:bg-tint-hover transition-all;`
`606`	`610`	`}`
`607`	`611`
`608`	`612`	`.openapi-select:not(.openapi-select-unstyled) > button {`
`@@ -634,7 +638,7 @@ body:has(.openapi-select-popover) {`
`634`	`638`	`}`
`635`	`639`
`636`	`640`	`.openapi-select-popover {`
`637`		`- @apply min-w-32 z-10 max-w-[max(20rem,var(--trigger-width))] overflow-x-hidden max-h-52 overflow-y-auto p-1.5 border border-tint-subtle bg-tint-base backdrop-blur-xl rounded-md circular-corners:rounded-xl straight-corners:rounded-none;`
	`641`	`+ @apply min-w-32 z-10 max-w-[max(20rem,var(--trigger-width))] overflow-x-hidden max-h-52 overflow-y-auto p-1.5 border border-tint-subtle bg-tint-base backdrop-blur-xl rounded-md straight-corners:rounded-none circular-corners:rounded-xl;`
`638`	`642`	`@apply shadow-md shadow-tint-12/1 dark:shadow-tint-1/1;`
`639`	`643`	`}`
`640`	`644`
`@@ -647,7 +651,7 @@ body:has(.openapi-select-popover) {`
`647`	`651`	`}`
`648`	`652`
`649`	`653`	`.openapi-select-item {`
`650`		`- @apply text-sm flex items-center cursor-pointer px-1.5 overflow-hidden py-1 text-tint ring-0 border-none rounded !outline-none;`
	`654`	`+ @apply text-sm flex items-center cursor-pointer px-1.5 overflow-hidden py-1 text-tint ring-0 border-none rounded straight-corners:rounded-none circular-corners:rounded-md !outline-none;`
`651`	`655`	`@apply hover:bg-tint-hover hover:theme-gradient:bg-tint-12/1 hover:text-tint-strong contrast-more:hover:ring-1 contrast-more:hover:ring-inset contrast-more:hover:ring-current;`
`652`	`656`	`}`
`653`	`657`
`@@ -743,7 +747,7 @@ body:has(.openapi-select-popover) {`
`743`	`747`	`}`
`744`	`748`
`745`	`749`	`.openapi-tabs-tab {`
`746`		`- @apply hover:bg-primary-hover whitespace-nowrap font-mono font-normal tabular-nums hover:text-primary cursor-pointer transition-all relative text-[0.813rem] text-tint px-1 border border-transparent rounded;`
	`750`	`+ @apply hover:bg-primary-hover whitespace-nowrap font-mono font-normal tabular-nums hover:text-primary cursor-pointer transition-all relative text-[0.813rem] text-tint px-1 border border-transparent rounded straight-corners:rounded-none circular-corners:rounded-md;`
`747`	`751`	`}`
`748`	`752`
`749`	`753`	`.openapi-tabs-tab[aria-selected="true"] {`
`@@ -814,12 +818,12 @@ body:has(.openapi-select-popover) {`
`814`	`818`	`}`
`815`	`819`
`816`	`820`	`.openapi-schemas-disclosure > .openapi-disclosure-trigger {`
`817`		`- @apply flex items-center font-mono transition-all font-normal text-tint-strong !text-sm hover:bg-tint-subtle relative flex-1 gap-2.5 p-5 truncate -outline-offset-1;`
	`821`	`+ @apply flex items-center font-mono transition-all font-normal text-tint-strong !text-sm hover:bg-tint-subtle dark:hover:bg-tint-hover relative flex-1 gap-2.5 p-5 truncate -outline-offset-1;`
`818`	`822`	`}`
`819`	`823`
`820`	`824`	`.openapi-schemas-disclosure > .openapi-disclosure-trigger,`
`821`	`825`	`.openapi-schemas-disclosure .openapi-disclosure-panel {`
`822`		`- @apply straight-corners:!rounded-none;`
	`826`	`+ @apply straight-corners:!rounded-none circular-corners:!rounded-md;`
`823`	`827`	`}`
`824`	`828`
`825`	`829`	`.openapi-disclosure-panel {`
`@@ -847,7 +851,7 @@ body:has(.openapi-select-popover) {`
`847`	`851`	`.openapi-schema-alternatives .openapi-disclosure,`
`848`	`852`	`.openapi-schemas-disclosure .openapi-schema.openapi-disclosure`
`849`	`853`	`) {`
`850`		`- @apply rounded-xl;`
	`854`	`+ @apply rounded-xl straight-corners:rounded-none;`
`851`	`855`	`}`
`852`	`856`
`853`	`857`	`.openapi-disclosure .openapi-schemas-disclosure .openapi-schema.openapi-disclosure {`
`@@ -997,8 +1001,8 @@ body:has(.openapi-select-popover) {`
`997`	`1001`	`}`
`998`	`1002`
`999`	`1003`	`.openapi-path-copy-button {`
`1000`		`- @apply p-1 flex rounded-md;`
`1001`		`- @apply hover:bg-tint;`
	`1004`	`+ @apply p-1 flex rounded-md straight-corners:rounded-none;`
	`1005`	`+ @apply hover:bg-tint dark:hover:bg-tint-hover;`
`1002`	`1006`	`}`
`1003`	`1007`
`1004`	`1008`	`.openapi-path-copy-button-icon {`