Hi Team,

We are using OASValidation (OpenAPI Specification Validation) policy to validate an incoming request(Manadatory headers) against an OpenAPI 3.0 Specification(JSON or YAML). We have done some analysis and seems like we hit a minor discrepancy in Apigee in this policy to implement.

It works only for the params (headers, etc) that are mentioned directly under parameters tag (not as a reference). The ones mentioned as reference do not get validated for cardinality required. In other words, missing AppID gives the expected error but missing TestID doesn't

However if we set: <ValidateMessageBody>true</ValidateMessageBody> in policy both get validated. However, the challenge with this setting is that it validates the incoming payload against the schema.

Is there a way to just validate incoming parameters (that are mentioned as references) except the payload.

openapi: 3.0.0
info:
  title: Title API
  description: >-
    Some desc

  contact: 
    name: "My Team"
    email: "email@sample.co.uk"
  version: 1.0.1servers:
  - url: 'https://example.com/customer/v1'
    description: some desc
paths:
  /diagnostics/collect:
    get:
      parameters:
        - name: appid
          in: header
          required: true
          schema:
            type: string
        - $ref: '#/components/parameters/TestID'
      responses:
        '200':
          description: OK
components:
  parameters:
    TestID:
      name: testid
      in: header
      required: true
      schema:
        type: string
      example: 8476a9db-f82c-4713-824c-c6046521a947

Please share your inputs on this policy issue.

Thanks

@kurtkanaskie @dchiesa1 @Sai Saran Vaidyanathan
@dknezic @ganadurai @Harish123 @Manisha_Chennu @shrenikkumar-s @Renuka_atnoor