New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClientCredentials Flow Doesn't Send client_id and client_secret as Form Data Fields and Throw Auth ErrorTypeError: Failed to fetch #2544
Comments
You've only defined the scheme - as per the Open API spec, you also need to add security requirements to actually apply the scheme either globally or for specific operation(s). See the related readme section, specifically the following note and snippets that follow:
|
Hi Richard,
Please, could you tell me what I'm missing if this can work? |
According to the specs there are two possibilities. Either send the client_id and client_secret within the request body or as HTTP Basic. With Auth0 I found out that this can be configured per client. There is still one piece missing though. The audience is currently missing the form data. |
Hi @domaindrivendev , Have you any solution about this issue? Any workaround anything? Best regards, |
@jenergm we have the same problem! For example, in our implementation Azure AD/B2C doesn't seem to support the basic authentication mode for client_credentials grant. We've encountered this problem various times, and this would be very useful.. @domaindrivendev, can you give us some directions such we can evaluate to do a pull request for this? Or directly give a look on it? 😜 |
Ran into same problem today... By removing authorization header basic I was able to get valid token back. It's the way swagger is posting the request causing problem. |
Same issue here as well! I have applied both security definition and requirement and the client_id and client_secret is sent thought Authorization header but not in the Form Body. Azure Oauth2 endpoint refuses to give the token in the header. The behavior I have like here
I upgraded to latest packages and the problem still occurs. Others have it as well: https://stackoverflow.com/questions/65231280/swashbuckle-swagger-ui-not-sending-client-secret-and-client-id-to-oauth-endpoint |
I have exactly the same problem |
I've encountered the same issue. I'm using ClientCredentials in the Security Definition and my security requirement just is pretty basic. Is there a way in the requirement to explicity say to include the client_id or client_secret in the body of the post? It's beginning to look like no one has answer here. I've read the previously referenced link and while I know others don't like spoon feeding answers, but this one is just not going well. I implore one of you to please provide a concrete solution for this. I've been able to use LINQPad to request the token using an HttpClient. This should be very possible from the swagger authorization modal. I did recently notice that the client credentials are being passed along via basic auth in the header. To get it working, I'm certain it needs to be in the body. ---------------TEMPORARY WORKAROUND-------------- It's UGLY, but it works. Feel free to remove BOTH "console.log(req);". I hate it too, but I think you all deserve something that works as a solution. I tried to format this, but it's not working. |
Same issue happened in the Swashbuckle.AspNetCore 6.5.0. Not sending the client_id and client_secret from the input fields in Swagger UI. Client credentials flow, token endpoint. Only can send grant_type and scopes fields. So it looks like more general issue inside the library. |
unfortunately didn't work for me. Are there any updates on this topic yet? |
Following on what wiz-the-engineer did, I can verify that you can get it to work with the request interceptor. If you expand your JS function to do a little parsing of the basic auth header you can avoid hard-coding those values in your code as well, for example, here's my JS interceptor: (in my C# code i pack this up into a resource and strip out the newlines when configuring the swaggerui options):
|
Any update on this issue? This page speaks of a property useBasicAuthenticationWithAccessCodeGrant is this something that is affecting this? |
Have you guys tested if this works in DotSwashbuckle? But it sounds like swagger UI issue tho... |
@Havunen it is also an issue in DotSwashbuckle 3.0.8. My issue is similar to what others have screenshotted above. I get a 400 like OP, others in this thread get a 401. The issue is that client_id and client_secret aren't being sent in the request body, they are being sent in a basic Authorization header. Microsoft Entra Id (Azure AD) needs them to be sent in the request body. |
Pasting my swagger.json into editor.swagger.io shows the same behaviour: Downloading and running latest version of Swagger-UI (v5.15.0) and pointing it at my swagger.json results in the same. So this is probably a swagger-ui bug. Here's an old issue in that repo: swagger-api/swagger-ui#4533 I'm also getting a CORS error from Azure AD in the above screenshot, response is: So based on this CORS error, I wonder if we're barking up the wrong tree trying to get clientcredentials flow working in Swagger UI, since Swagger UI is kind of a SPA. I vote that we close this issue, since it is a Swagger UI issue. |
I believe this is the same issue as #1344. jwr3408's comment provides a possible solution to this problem. Here is my modified version that allows you to keep the original token URL in the OpenAPI specification while proxying the requests through your application:
...
services.AddSwaggerGen(c =>
{
...
c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
ClientCredentials = new OpenApiOAuthFlow
{
TokenUrl = new Uri(authOptions.TokenUrl, UriKind.Absolute),
...
},
}
});
...
});
...
services.AddProxies();
...
const string OAuthProxyUrl = "oauth-proxy";
app.UseProxies(proxies =>
{
proxies.Map(OAuthProxyUrl, proxy => proxy.UseHttp(authOptions.Value.TokenUrl,
builder => builder.WithShouldAddForwardedHeaders(false)));
});
...
app.UseSwaggerUI(c =>
{
...
// Redirect request to the OAuth proxy
c.UseRequestInterceptor($"(req) => {{ if (req.url === '{authOptions.Value.TokenUrl}') {{ req.url = '/{OAuthProxyUrl}'; }} return req; }}");
}); |
Dear all,
I'm using version Swashbuckle.AspNetCore.6.4.0.
I've set in Startup.cs:
ConfigureServices:
Configure:
When I click Authorize button, it doesn't submit client_id and client_secret of the form as a form data field.
The text was updated successfully, but these errors were encountered: