OAuth2 Workflow - oauth2-redirect.html not found

[Derich367]

During Implementing an OAuth2 Workflow for the api documentation i'm getting the issue that the redirect page can't be found.
E.g. for local running function http://localhost:7071/oauth2-redirect.html can't be found (404) after successful authentication.

My OpenApiOAuthSecurityFlows looks like this:

class TestOAuth2 : OpenApiOAuthSecurityFlows
    {
        public TestOAuth2 ()
        {
            this.Implicit = new OpenApiOAuthFlow()
            {
                AuthorizationUrl = new Uri("https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/oauth2/v2.0/authorize?p=workflow_id"),
                Scopes = { { "https://xxxx.onmicrosoft.com/xxxx-xxx/API.User", "API Access" } },
                TokenUrl = new Uri("https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/oauth2/v2.0/token?p=workflow_id")
                
            };
        }
    }

Am i missing some configuration for the redirect page?

[disambiguationuk]

Sure it's not http://localhost:7071/api/* ?

[Derich367]

Sure it's not http://localhost:7071/api/* ?

Yes, swagger docs are hosted under default settings at http://localhost:7071/api/swagger/ui
But the authorization url opened by swagger contains http://localhost:7071/oauth2-redirect.html as redirect url.

[justinyoo]

@Derich367 Can I ask the steps to repro this issue on my end?

If you change this URL, http://localhost:7071/oauth2-redirect.html, to http://localhost:7071/api/oauth2-redirect.html (adding the /api segment), would it be working?

If you use the default settings, the host.json has the /api as a prefix of all endpoints - meaning, your other endpoints including oauth2-redirect.html should be the same because it's in the same instance.

[Derich367]

@justinyoo Yes, i created a demo project to reproduce this:
azure-functions-openapi-oauth2-test (Empty Function App with openapi extension and oauth2 worklflow)
The redirect Url in the generated AuthorizationUrl is http://localhost:7071/oauth2-redirect.html.
But both http://localhost:7071/oauth2-redirect.html and http://localhost:7071/api/oauth2-redirect.html returning 404.

[justinyoo]

@Derich367 I saw your sample repo.

But I don't see any endpoint pointing to either /oauth2-redirect.html or /api/oauth2-redirect.html. Have you implemented the endpoint within your Function app? It's something you should implement at your end.

public static async Task<IActionResult> Run(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "oauth2-redirect.html")] HttpRequest req,
    ILogger log)
{
    ...

    return new ContentResult() { Content = "something", ContentType = "text/html" };
}

Alternatively, you can use proxies.json to redirect to your designated endpoint for further processing.

[Derich367]

What is then the file oauth2-redirect.html in this repo for? I thought the OAuthToken Retreive and Store-Handling is Part of this Extension.

[justinyoo]

OH! Is that mine? 🙈🙈🙈 I should implement it then. I totally overlooked that part. Thanks for letting me know!

[svrooij]

And just a quick work-around for anyone who is struggling with this, just add a proxies.json file with the following content

{
  "$schema": "http://json.schemastore.org/proxies",
  "proxies": {
    "SwaggerUiRedirect": {
      "matchCondition": {
        "methods": [ "GET" ],
        "route": "/oauth2-redirect.html"
      },
       //I'm not sure if this url is allowed, but you get the point.
      "backendUri": "https://petstore.swagger.io/oauth2-redirect.html"
    }
  }
}

[svrooij]

I'm not sure it that solves it. the redirect url isn't configured at the moment so it will revert to /oauth.....html instead of /api/oauth....html

In which case there is still the need for a proxy file.

[justinyoo]

Oh, it's implemented and will be included in the next release. I'll comment it when it's released.

[justinyoo]

@svrooij This has been released to NuGet. Please have a look on your end.

[Derich367]

I can confirm @svrooij , the redirectUrl included in the AuthorizationUrl is still http://localhost:7071/oauth2-redirect.html. So after successful Authentication you still get 404. But if i then change to http://localhost:7071/api/oauth2-redirect.html, then its no more 404.
But i can't change the redirectUrl inside of the OpenApiOAuthFlow Configuration right?

[svrooij]

You can however create a proxy entry to redirect urls to other local urls (something similar as my comment above).

To change the redirect url, I think you need to change the url in the javascript file that swagger uses.

Maybe that can be configurable?

[justinyoo]

@Derich367 If you want to use /oauth2-redirect.html, there are two ways:

• Remove /api from host.json and add it to each endpoint's Route property of the HttpTrigger binding, where necessary, or
• Use proxies.json to redirect the traffic from /oauth2-redirect.html to /api/oauth2-redirect.html.

It's because Azure Functions runtime behaves like this, which is beyond my control.

Just be curious, @Derich367 Can you change the behaviour from /oauth2-redirect.html to /api/oauth2-redirect.html on your end when registering the endpoint for OAuth?

[svrooij]

The redirect uri is mandatory in the authorize/token request according to the oauth2 specs. The authentication server has a list of allowed redirect uris per application and only checks it the request uri is in the list. The specs have no room for other configuration

According to this page you can setup swagger to load a configuraton uri upon load. Which will then load a all the configuration from some url (which could also be a function). That way you would enable all sort of configuration stuff.

You can also add the settings as an object in the original ui html (that is how it works in the aps.net core swagger package).

Next to this is would also be very nice if there was some way to control these settings from the configuation.

[justinyoo]

@svrooij Thanks for the info! For now, I'll fix the /api part, then extend the configuration.

[justinyoo]

@Derich367 @svrooij I haven't released the fix yet, but can you try on this branch beforehand? It seems to be OK on my end but want to make sure.

https://github.com/Azure/azure-functions-openapi-extension/tree/hotfix/oauth2-redirect

[svrooij]

do you also build hotfix branches? or do we need to build it ourself?

I checked the code and to my understanding that should fix the issue.

[justinyoo]

Currently the build is halted, but it should be built automatically. I haven't it merged back to the main repo yet, though.

[justinyoo]

@Derich367 @svrooij v0.5.1-preview has been released including this hotfix.

[Derich367]

@justinyoo Thanks a lot! I tested it and now OAuth is working as expected!

[svrooij]

I also tested this, and your solution works!

I have one more improvement, the Swagger UI is available at /api/swagger/ui so I thought the redirect file would be available at api/swagger/oauth2-redirect.html (instead of /api/oauth2-redirect.html) that way you keep the api root clean of files that are used by swagger.

[justinyoo]

@svrooij Oh, thanks for suggestion! It makes sense to me as well. I'll have a look at the next release.