fix(writers): throw for mutualTLS in OAS 3.0

mdaneri · mdaneri · commit c45a0bc2feaf · 2026-01-21T07:22:07.000-08:00
diff --git a/src/Microsoft.OpenApi/Models/OpenApiSecurityScheme.cs b/src/Microsoft.OpenApi/Models/OpenApiSecurityScheme.cs
@@ -128,6 +128,11 @@ private void SerializeInternal(IOpenApiWriter writer, OpenApiSpecVersion version
                     break;
                 case SecuritySchemeType.MutualTLS:
                     // No additional properties for mutualTLS
+                    if (version < OpenApiSpecVersion.OpenApi3_1)
+                    {
+                        // mutualTLS is introduced in OpenAPI 3.1
+                        throw new OpenApiException($"mutualTLS security scheme is only supported in OpenAPI 3.1 and later versions. Current version: {version}");
+                    }
                     break;
             }
 
diff --git a/test/Microsoft.OpenApi.Tests/Models/OpenApiSecuritySchemeTests.cs b/test/Microsoft.OpenApi.Tests/Models/OpenApiSecuritySchemeTests.cs
@@ -101,6 +101,12 @@ public class OpenApiSecuritySchemeTests
             OpenIdConnectUrl = new("https://example.com/openIdConnect")
         };
 
+        private static OpenApiSecurityScheme MutualTlsSecurityScheme => new()
+        {
+            Description = "description1",
+            Type = SecuritySchemeType.MutualTLS
+        };
+
         private static OpenApiSecuritySchemeReference OpenApiSecuritySchemeReference => new("sampleSecurityScheme");
         private static OpenApiSecurityScheme ReferencedSecurityScheme => new()
         {
@@ -208,6 +214,19 @@ public async Task SerializeHttpBearerSecuritySchemeAsV3JsonWorks()
             Assert.Equal(expected, actual);
         }
 
+        [Fact]
+        public void SerializeMutualTlsSecuritySchemeAsV3Throws()
+        {
+            // Arrange
+            var outputStringWriter = new StringWriter(CultureInfo.InvariantCulture);
+            var writer = new OpenApiJsonWriter(outputStringWriter);
+
+            // Act & Assert
+            var exception = Assert.Throws<OpenApiException>(() => MutualTlsSecurityScheme.SerializeAsV3(writer));
+            Assert.Contains("mutualTLS security scheme is only supported in OpenAPI 3.1 and later versions", exception.Message);
+            Assert.Contains($"Current version: {OpenApiSpecVersion.OpenApi3_0}", exception.Message);
+        }
+
         [Fact]
         public async Task SerializeOAuthSingleFlowSecuritySchemeAsV3JsonWorks()
         {
