tokenUrl doesn't permit for relative references in OAS 3.1

[saturna]

Describe the bug
In OAS 3.0 tokenUrl was of uri-reference type but in 3.1 it seemed to be switched back to uri
As per OAS 3.1 documentation tokenUrl should be of type URL and as per section Relative References in URLs:

Unless specified otherwise, all properties that are URLs MAY be relative references as defined by [RFC3986].
RFC-3986 section 4.2 link

I'm assuming that tokenUrl should in fact permit relative paths and default to a baseURL as defined by the Server Object

This would make sense because using tools such as editor-next.swagger.io, Authorize button should allow for baseUrl selection from the Servers drop-down. If tokenUrl cannot use relative paths, it will not work with this drop-down.

To Reproduce

• define a security schema as follows using openapi: 3.1.0 header:

  securitySchemes:
    Oauth2:
      type: oauth2
      description: Oauth 2.0 application authentication
      flows:
        clientCredentials:
          tokenUrl: /oauth2/token

• Attempt to use spectral to validate this schema with spectral:oas rule.
• Schema validation will fail with:

error  oas3-schema  "Oauth2" property must not have unevaluated properties.  components.securitySchemes.Oauth2
error  oas3-schema  "tokenUrl" property must match format "uri".             components.securitySchemes.Oauth2.flows.clientCredentials.tokenUrl

Expected behavior
Spectral validation should pass and allow for relative URLs

Environment (remove any that are not applicable):

• Library version: 6.11.1
• OS: MacOS Sonoma 14.4
• Browser: [N/A]

[daniel-white]

this definitely seems to be a bug. we would welcome a PR as rulesets are pretty straight forward to change. thanks!

[stoplight-bot]

🎉 This issue has been resolved in version 1.20.1 🎉

The release is available on @stoplight/spectral-rulesets-1.20.1

Your semantic-release bot 📦🚀