Authorization Header not being sent from Swagger UI 5.0.0-rc5 #1425
Comments
|
I'm also experiencing the same issue where the UI is not adding the authorization header. I'm using token authentication that is applied conditionally based on attrbiutes of my controller, but with very similar code in an IOperationFilter: operation.Parameters.Add(new OpenApiParameter
{
Name = "Authorization",
In = ParameterLocation.Header,
Description = "[Your Token]",
Required = true,
Schema = new OpenApiSchema { Type = "string" },
});
operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" });
operation.Responses.Add("403", new OpenApiResponse { Description = "Forbidden" });
operation.Security = new List<OpenApiSecurityRequirement>
{
new OpenApiSecurityRequirement()
{
{
new OpenApiSecurityScheme
{
Description = "Adds token to header",
Name = "Authorization",
Type = SecuritySchemeType.Http,
In = ParameterLocation.Header,
Scheme = "bearer",
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
},
new List<string>()
}
}
};The UI is generated correctly but the header is not added to the request. using 5.0.0-rc5 |
|
Really need a working example for bearer token. |
|
@gorkemyontem at this point I'm thinking that's not going to happen without a PR. |
|
The following example works for me (including automatic encoding of credentials). It's worth noting that this type of question is related to understanding the Swagger specification, and how to express certain API behaviors with it, as opposed to Swashbuckle itself. When this is the case, I would encourage people to look at the Swagger documents (e.g. authentication examples) instead as they contain many examples which can be easily ported over to Swashbuckle configuration. Anyway, here's a working example for basic Auth (derived from the Swagger docs): c.AddSecurityDefinition("basicAuth", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.Http
Scheme = "basic"
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "basicAuth" }
},
new string[]{}
}
}); |
|
@domaindrivendev That did not work. Click authorize
Fill out info and click the authorize button
Expand an operation
Click "Try it out"
Click "Execute"
401! And there is no "Authorize" header in the request payload.
But Swashbuckle needs to understand the Swagger body to make use of it in the UI does it not? How else does the UI know to create Auth headers, and encode parameters? |
|
Don't use parameters to accomplish this as it is no longer supported by Swagger UI. To get the Authorization header included in the curl request you must define it entirely using security schemes. For reference see this comment Want to share my configuration that works on 5.0.0-rc5: In Startup.cs, add a global Security Definition and operation filter: In the AuthenticationRequirementsOperationFilter add a Security Requirement to the operation by referencing the Security Definition that was added globally: Note:
The generated UI won't have Authorization fields in each endpoint. There should be open locks on the endpoints that had a security requirement added to them in the OperationFilter and an Authorize button should show up on the top right. Add the token to the header using the Authorize button and the endpoints will show with closed locks. Note: "Bearer" will be added automatically, so only provide the token when authorizing.
Requests should now include the Authorization header with the provided token. You can verify in the curl:
Hope it helps! |
|
@pnavk Thank's you led me to the solution which was that I had All I had to do was add the following to my options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.Http,
Scheme = "basic"
});The key here being |
This is working for me under 5.0.0-rc5: In Startup.cs in ConfigureServices: services.AddSwaggerGen(options =>
{
options.AddSecurityDefinition("bearer", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.Http,
BearerFormat = "JWT",
In = ParameterLocation.Header,
Scheme = "bearer"
});
// add auth header for [Authorize] endpoints
options.OperationFilter<AddAuthHeaderOperationFilter>();NOTE: I filter on
in |
|
For those who are still having trouble with this, here is the code that worked for me after few hours of trial and error. |
|
The options below working with Bearer scheme for me: |
|
I am having the same issue for me but for me its addding the token but getting 401 unauthorised from the controller if i remove the dataannotation it works fine. My Bmi Controler |
|
I think the issue here (from the documentation ): NOTE: In addition to defining a scheme, you also need to indicate which operations that scheme is applicable to. You can apply schemes globally (i.e. to ALL operations) through the AddSecurityRequirement method. The example below indicates that the scheme called "oauth2" should be applied to all operations, and that the "readAccess" and "writeAccess" scopes are required. When applying schemes of type other than "oauth2", the array of scopes MUST be empty. I am using implicit flow for swagger and this solved the issue for me:
|
|
I met the same issue before and resolved it. Now the available Authorization header works fine. Please check my latest sample using SwashBuckle v5.5.1 and netcore 3.1
|
Solved my problem thanks. |
|
I had the same issue. The securityDefinitions in the swagger config, should match the security definition in the operation. In my case I had configured it as, Therefore my endpoint operation definition should include the security, bearerAuth: [] |
|
If someone migrating to .net core version 3.1, following are the changes require.
Below is the code how it should look. |
Thanks for the solution, it worked for me....!!! |
|
Unfortunately this doesn't appear to work, endpoints are not marked as requiring auth and no authorization header is included in nay request. Does this behavior not come out of the box....?
|
Tried both the following solutions:
#1022
#1171
I need basic auth, and I am willing to settle for making the user put the encoded final header in. Ideally, they would be prompted for a username and password and that could automatically be encoded.
The text was updated successfully, but these errors were encountered: