feat: add support for OAuth clientCredential and password flows in Respect core

[harshit078]

What/Why/How?

• Added the OAuth2 token exchange for x-security schemes with the password and clientCredentials flows.
• Respect now fetches the access token from tokenUrl and apply Authorization: Bearer to the request, which allows to manually obtain a accessToken

Reference

#2122

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

High Risk
Adds outbound token requests and handling of client secrets/passwords in Respect; misconfiguration or logging could expose credentials, though secrets are added to secretsSet for masking.

Overview
Respect now performs OAuth2 token exchange for Arazzo x-security when clientCredentials or password flows are declared: it POSTs to tokenUrl, caches tokens on TestContext.oauth2TokenCache, and applies Authorization: Bearer on workflow requests. A pre-set accessToken still skips the exchange.

Linting and runtime validation no longer treat every OAuth2 scheme as requiring only accessToken. The x-security-scheme-required-values rule and validateXSecurityParameters require flow-specific credentials (clientId/clientSecret, username/password, or accessToken for non-exchangeable flows such as implicit). resolveXSecurityParameters is async end-to-end through prepare-request.

Also adds exchange-oauth2-token (Basic vs body client auth, scope handling, secret masking) with unit/integration tests, a new AsyncAPI 3 security-defined rule module, and minor e2e snapshot updates for config assertion subject types (ActionParameters, ActionParameter).

^{Reviewed by Cursor Bugbot for commit 637545a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 637545a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/respect-core	Minor
@redocly/openapi-core	Minor
@redocly/cli	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[cursor]

Exchanged token not persisted

Medium Severity

After OAuth2 token exchange, the new accessToken is assigned only on the local values object built via Object.fromEntries, not on security.values on the step/workflow. Later runtime expressions or steps that read x-security.values.accessToken never see the exchanged token even though the current request gets the Bearer header.

 

^{Reviewed by Cursor Bugbot for commit cda6f48. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9ef677b. Configure here.}

[cursor]

Dual-flow OAuth validation mismatch

Medium Severity

getRequiredValuesForOAuth2 always requires clientId and clientSecret when clientCredentials is declared, even if both flows exist and only username/password are provided. That disagrees with the lint rule, which accepts either credential set.

Additional Locations (1)

• packages/core/src/rules/respect/x-security-scheme-required-values.ts#L28-L35

 

^{Reviewed by Cursor Bugbot for commit 9ef677b. Configure here.}