Questions regarding swagger-ui and oauth

[dhofstetter]

I used a lot of your stuff for a current project, because your enhancements are just awesome!

But actually I'm unable to get everything working regarding the swagger-ui. The authorize button is going to be displayed as expected. And I get the list of defined scopes. But as soon as I want to get myself authorized for the swagger session there are two possibilities:

• password flow: If I try to use password flow, then nothing happens, but the javacsript console shows me that "realm" is not defined within swagger-ui.js

    handleOauth2Login: function (auth) {
        var host = window.location;
        var pathname = location.pathname.substring(0, location.pathname.lastIndexOf('/'));
        var defaultRedirectUrl = host.protocol + '//' + host.host + pathname + '/o2c.html';
        var redirectUrl = window.oAuthRedirectUrl || defaultRedirectUrl;
        var url = null;
        var scopes = _.map(auth.get('scopes'), function (scope) {
            return scope.scope;
        });
        var state, dets, ep;
        window.OAuthSchemeKey = auth.get('title');

        window.enabledScopes = scopes;
        var flow = auth.get('flow');

        if(auth.get('type') === 'oauth2' && flow && (flow === 'implicit' || flow === 'accessCode')) {
            dets = auth.attributes;
            url = dets.authorizationUrl + '?response_type=' + (flow === 'implicit' ? 'token' : 'code');
            window.swaggerUi.tokenName = dets.tokenName || 'access_token';
            window.swaggerUi.tokenUrl = (flow === 'accessCode' ? dets.tokenUrl : null);
            state = window.OAuthSchemeKey;
        }
        else if(auth.get('type') === 'oauth2' && flow && (flow === 'application')) {
            dets = auth.attributes;
            window.swaggerUi.tokenName = dets.tokenName || 'access_token';
            this.clientCredentialsFlow(scopes, dets.tokenUrl, window.OAuthSchemeKey);
            return;
        }
        else if(auth.get('grantTypes')) {
            // 1.2 support
            var o = auth.get('grantTypes');
            for(var t in o) {
                if(o.hasOwnProperty(t) && t === 'implicit') {
                    dets = o[t];
                    ep = dets.loginEndpoint.url;
                    url = dets.loginEndpoint.url + '?response_type=token';
                    window.swaggerUi.tokenName = dets.tokenName;
                }
                else if (o.hasOwnProperty(t) && t === 'accessCode') {
                    dets = o[t];
                    ep = dets.tokenRequestEndpoint.url;
                    url = dets.tokenRequestEndpoint.url + '?response_type=code';
                    window.swaggerUi.tokenName = dets.tokenName;
                }
            }
        }

        redirect_uri = redirectUrl;

        url += '&redirect_uri=' + encodeURIComponent(redirectUrl);
        url += '&realm=' + encodeURIComponent(realm);
        url += '&client_id=' + encodeURIComponent(clientId);
        url += '&scope=' + encodeURIComponent(scopes.join(scopeSeparator));
        url += '&state=' + encodeURIComponent(state);
        for (var key in additionalQueryStringParams) {
            url += '&' + key + '=' + encodeURIComponent(additionalQueryStringParams[key]);
        }

        window.open(url);
    },

• implicit flow: If I use this flow for security definition, then a click to "authorize" redirects me to the route /auth/oauth2/authorize which seems to be expected. But the get parameters "client_id" and "realm" are undefined there, so I'm Unable to render the authorize page correctly.

I also saw that you set the client_id and realm for swagger within your config, but I don't know where you are going to render them for usage within the swagger-ui.

Can you help me?

BR Daniel

[frol]

First of all, implicit flow is not implemented yet #4.

Second of all, given that realm is set with config.SWAGGER_UI_OAUTH_REALM in the template, I am not sure how that part can be missing.

[dhofstetter]

Can you explain me how this config values are populated into the swagger-ui and how I can debug the authorization process? Is the authorization process within the function I mentioned above?

BR

[frol]

@dhofstetter I am sorry, I have little time this month to answer questions in details. See the HTML on the Swagger UI page (/api/v1/), and watch the network requests it sends/receives in the inspector.

[frol]

@dhofstetter Have you figured this out or you still need some help?

[dhofstetter]

I was able to do some workaround. Not a nice solution but works somehow!

Do you plan to integrate swagger ui 3 someday?

BR Daniel

[frol]

I was able to do some workaround. Not a nice solution but works somehow!

It would be helpful for others if you can share your workaround. There is also a chance that I will be able to help you to transform it to a proper solution.

Do you plan to integrate swagger ui 3 someday?

From the user perspective, I don't see much value in Swagger-UI 3 now as it is still lacking the features I use in this example (OAuth2 Password Flow, JSON editor) noirbizarre/flask-restplus#267 (comment)