OAS 3 validation fails with confusing `name` error message

[ronfogel]

Description

I attached a simple OAS 3 file that should pass validation.
However, while debugging, I noticed that the validation fails due to missing required fields that are only relevant to the API Key security scheme.

The problem is that the spec I provided defines an OAuth2 security scheme, and everything appears to be valid.

To verify, I tested the spec in Swagger Editor (next) and confirmed it is valid according to the official OAS 3 specification.

This makes me suspect the issue may be related either to Ajv or to something specific in your package’s handling of security schemes.

Expected Behavior

The OAS 3 file should pass validation without errors.

Actual Behavior

Validation fails with incorrect errors about required fields for the wrong security scheme.

Environment

• oas-normalize: 15.0.1
• node: 22.17.0

Additional Context

• Confirmed the spec is valid in Swagger Editor.
• Validated against official OAS 3 spec.

[erunion]

I don't believe that API definition is actually valid as OAuth Flow Objects, which authorizationCode would fall under, are required to have a scopes map present:

https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.4.md#oauth-flow-object

I'm guessing that https://editor-next.swagger.io/ is interpreting the "The map MAY be empty." part of the spec as "the map may be optional".

The way we're doing validation right now is using the official JSON Schema definitions that the OAS ships, and there they've got scopes marked as required so we unfortunately don't have any leeway to make it optional like Swagger Editor.

https://github.com/OAI/OpenAPI-Specification/blob/f306a1a3e8a8bd4011ea5a06dd5641194347a1c5/_archive_/schemas/v3.0/schema.yaml#L952-L974

[ronfogel]

I don't believe that API definition is actually valid as OAuth Flow Objects, which authorizationCode would fall under, are required to have a scopes map present:

https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.4.md#oauth-flow-object

I'm guessing that https://editor-next.swagger.io/ is interpreting the "The map MAY be empty." part of the spec as "the map may be optional".

The way we're doing validation right now is using the official JSON Schema definitions that the OAS ships, and there they've got scopes marked as required so we unfortunately don't have any leeway to make it optional like Swagger Editor.

https://github.com/OAI/OpenAPI-Specification/blob/f306a1a3e8a8bd4011ea5a06dd5641194347a1c5/_archive_/schemas/v3.0/schema.yaml#L952-L974

I understand and it make sense.
so the issue is the error that I got which was not the right one

ValidationError: OpenAPI schema validation failed.

REQUIRED must have required property 'name'

  158 |     },
  159 |     "securitySchemes": {
> 160 |       "oauth2": {
      |                 ^ name is missing here!
  161 |         "type": "oauth2",
  162 |         "description": "OAuth 2.0 authorization code flow for API access.",

[erunion]

Ah I see, yeah that error happens because AJV doesn't understand the discriminator in this case. I've looked in the past in trying to resolve this but have come up short. Will leave this open as an improvement.