Security requirements not being serialized?

[baywet]

Hi everyone,
As I'm fairly new playing with this library I'm not whether I found a bug or if I'm missing something.
I'm currently building a brand new API, this api relies on aspnet core, ef core, odata core. Previously this API was not secured in any way and I had Open API definitions working fine.
I added an additional project/service to handle all identity/authentication/autorisation concerns. This is implemented using Identity Server v4. I also added the bearer validation in my API. All of that works fine.
Now I'm trying to add the authentication information to my open api definition (and reflect it in the swashbuckle UI) so developers using that API know that they need to get tokens and where before trying to call the endpoints.
The issue I'm facing the current code is that although I'm adding security requirements in the code, that doesn't get reflected in the serialized json or yaml.
Here is the code I implemented to generate my definitions. Thanks for the help!

 var authServiceBaseUrl = "https://myidentityserverinstance";
            var apiEndpoint = "https://theapiurl";
var oDataBuilder = new ODataConventionModelBuilder(provider); // provider is my IServiceProvider
            oDataBuilder.EntitySet<DataPoint>($"{nameof(DataPoint)}s");
            var model = oDataBuilder.GetEdmModel();
            oDataBuilder.ValidateModel(model);
            var document = model.ConvertToOpenApi();
// the addtion for auth starts here
            document.SecurityRequirements = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme()
                        {
                            OpenIdConnectUrl = new Uri($"{authServiceBaseUrl}/.well-known/openid-configuration"),
                            BearerFormat = "JWT",
                            Scheme = "bearer",
                            In = ParameterLocation.Header,
                            Name = "Authorization",
                            Type = SecuritySchemeType.OpenIdConnect,
                            Flows = new OpenApiOAuthFlows
                            {
                                Implicit = new OpenApiOAuthFlow
                                {
                                    AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                                    TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                                    Scopes = new Dictionary<string, string>
                                    {
                                        {"datapoints.read", "Read DataPoints" },
                                    }
                                }
                            }
                        },
                        new List<string>
                        {
                            "datapoints.read",
                        }
                    }
                }
            };
// the addition for auth ends here
            var outputYAML = document.SerializeAsYaml(OpenApiSpecVersion.OpenApi3_0);
            return Content(outputYAML, new MediaTypeHeaderValue("text/vnd.yaml"));

[PerthCharern]

@baywet

The security scheme object must be declared in OpenApiDocument.Components.SecuritySchemes. The SecurityScheme object you use as a dictionary key in OpenApiSecurityRequirement should then contain the Reference to the SecurityScheme you have declared in the Components.

We don't allow declaring the SecurityScheme directly in the SecurityRequirement since the spec says that the scheme here can't just be any random scheme - it must refer to one of the schemes already declared in the Components section.

See the serialization code here: https://github.com/Microsoft/OpenAPI.NET/blob/master/src/Microsoft.OpenApi/Models/OpenApiSecurityRequirement.cs

[baywet]

@PerthCharern thanks for the help!
With that additional information I was able to make progress, now my json definition contains this under components.

{
"securitySchemes": {
      "openIdConnect": {
        "type": "openIdConnect",
        "openIdConnectUrl": "https://localhost:44378/.well-known/openid-configuration"
      }
    }
}

and that under security

"security": [
    {
      "openIdConnect": [
        "datapoints.read",
        ]
    }

And this is what my code for the security part looks like now.

var secScheme = new OpenApiSecurityScheme()
            {
                OpenIdConnectUrl = new Uri($"{authServiceBaseUrl}/.well-known/openid-configuration"),
                BearerFormat = "JWT",
                Scheme = "bearer",
                In = ParameterLocation.Header,
                Name = "Authorization",
                Type = SecuritySchemeType.OpenIdConnect,
                Flows = new OpenApiOAuthFlows
                {
                    Implicit = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                        TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                        Scopes = new Dictionary<string, string>
                                    {
                                        {"datapoints.read", "Read DataPoints" },
                                    }
                    }
                }
            };
            document.Components.SecuritySchemes.Add("openIdConnect", secScheme);
            document.SecurityRequirements = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference()
                            {
                                Type = ReferenceType.SecurityScheme,
                                Id = "openIdConnect"
                            }
                        }
                        ,
                        new List<string>
                        {
                            "datapoints.read",
                        }
                    }
                }
            };

As you can see my securityScheme node is missing a lot of information I'm providing in the code, did I miss something here?
Question: my swagger UI still doesn't suggest the reader to authenticate automatically to try out the endpoints and get the access token for him/her (see screenshots bellow). I'm pretty sure I'm missing something somewhere but I don't know what exactly. Before going over to swashbuckle and asking my questions I want to make sure my definition contains all the information it should. Do I need to explicitly setup security requirements per operation/path? I thought those were just overrides for the top level requirements. Am I missing anything else?
Feedback: using the same OpenApiSecurityScheme class both in the SecuritySchemes and in the OpenApiSecurityRequirement for different intents (definition vs reference) is counter intuitive IMHO.

[PerthCharern]

@baywet Could you elaborate on this "my securityScheme node is missing a lot of information I'm providing in the code"? Can you show the serialized version of your object by any chance (i.e. call document.SerializeAsJson or something similar)?

In the security requirements node, you will see a map from the security scheme name (in this case "openIdConnect") to list of strings (["datapoints.read"]). You will NOT see the security scheme object detail there since this is what the spec dictates.

You should not need to provide explicit securityRequirements per operation/path based on the spec. They are used for overrides like you suggested.

If you can show me the serialized version of your doc (just the section that corresponds to your DOM object above is ok), I can help double check.

[PerthCharern]

One more thing:

Based on the spec, if you use openIdConnect as security scheme type, you should only add openIdConnectUrl.

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#security-scheme-object

Could you remove other properties? Namely, remove name, in, scheme, bearerFormat, flows. They might be the reason why Swagger UI doesn't render this correctly.

[baywet]

@PerthCharern thanks for the follow up and the support!
For the security scheme missing information question/remark, it makes senses that the serialiazer was ignoring what I was providing to match the spec, I removed the additional information, it now shows like that in the code.

var secScheme = new OpenApiSecurityScheme()
            {
                OpenIdConnectUrl = new Uri($"{authServiceBaseUrl}/.well-known/openid-configuration"),
                Type = SecuritySchemeType.OpenIdConnect
            };

Both the securitySchemes and security nodes in my open API definition haven't changed so I guess it is pulling information from my well known configuration.
I'm not quite sure what you are asking for in terms of DOM elements of the UI. So here is the node of the expanded operation.

<div style="height: auto; border: none; margin: 0px; padding: 0px;"><!-- react-text: 108 --> <!-- /react-text --><span><div class="opblock opblock-get is-open" id="operations-DataPoints\.DataPoint-DataPoints\.DataPoint\.ListDataPoint"><div class="opblock-summary opblock-summary-get"><span class="opblock-summary-method">GET</span><span class="opblock-summary-path"><a class="nostyle"><span>/DataPoints</span></a></span><div class="opblock-summary-description">Get entities from DataPoints</div><button class="authorization__btn unlocked" aria-label="authorization button unlocked"><svg width="20" height="20"><use href="#unlocked" xlink:href="#unlocked"></use></svg></button><!-- react-empty: 120 --></div><div style="height: auto; border: none; margin: 0px; padding: 0px;"><!-- react-text: 1048 --> <!-- /react-text --><div class="opblock-body"><div class="opblock-section"><div class="opblock-section-header"><div class="tab-header"><div class="tab-item active"><h4 class="opblock-title"><span>Parameters</span></h4></div></div><div class="try-out"><button class="btn try-out__btn">Try it out </button></div></div><div class="parameters-container"><div class="table-container"><table class="parameters"><thead><tr><th class="col col_header parameters-col_name">Name</th><th class="col col_header parameters-col_description">Description</th></tr></thead><tbody><tr data-param-name="$top" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1069 -->$top<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1071 -->integer<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1074 -->(<!-- /react-text --><!-- react-text: 1075 -->query<!-- /react-text --><!-- react-text: 1076 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Show only the first n items</p></div></td></tr><tr data-param-name="$skip" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1082 -->$skip<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1084 -->integer<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1087 -->(<!-- /react-text --><!-- react-text: 1088 -->query<!-- /react-text --><!-- react-text: 1089 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Skip the first n items</p></div></td></tr><tr data-param-name="$search" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1095 -->$search<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1097 -->string<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1100 -->(<!-- /react-text --><!-- react-text: 1101 -->query<!-- /react-text --><!-- react-text: 1102 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Search items by search phrases</p></div></td></tr><tr data-param-name="$filter" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1108 -->$filter<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1110 -->string<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1113 -->(<!-- /react-text --><!-- react-text: 1114 -->query<!-- /react-text --><!-- react-text: 1115 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Filter items by property values</p></div></td></tr><tr data-param-name="$count" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1121 -->$count<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1123 -->boolean<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1126 -->(<!-- /react-text --><!-- react-text: 1127 -->query<!-- /react-text --><!-- react-text: 1128 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Include count of items</p></div></td></tr><tr data-param-name="$orderby" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1134 -->$orderby<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1136 -->array<!-- /react-text --><!-- react-text: 1137 -->[string]<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1140 -->(<!-- /react-text --><!-- react-text: 1141 -->query<!-- /react-text --><!-- react-text: 1142 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Order items by property values</p></div><div class="parameter__enum renderedMarkdown"><p><i>Available values</i> : Id, Id desc, Value, Value desc, ReadTimeUtc, ReadTimeUtc desc</p></div></td></tr><tr data-param-name="$select" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1149 -->$select<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1151 -->array<!-- /react-text --><!-- react-text: 1152 -->[string]<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1155 -->(<!-- /react-text --><!-- react-text: 1156 -->query<!-- /react-text --><!-- react-text: 1157 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Select properties to be returned</p></div><div class="parameter__enum renderedMarkdown"><p><i>Available values</i> : Id, Value, ReadTimeUtc, Sensor</p></div></td></tr><tr data-param-name="$expand" data-param-in="query"><td class="col parameters-col_name"><div class="parameter__name"><!-- react-text: 1164 -->$expand<!-- /react-text --></div><div class="parameter__type"><!-- react-text: 1166 -->array<!-- /react-text --><!-- react-text: 1167 -->[string]<!-- /react-text --></div><div class="parameter__deprecated"></div><div class="parameter__in"><!-- react-text: 1170 -->(<!-- /react-text --><!-- react-text: 1171 -->query<!-- /react-text --><!-- react-text: 1172 -->)<!-- /react-text --></div></td><td class="col parameters-col_description"><div class="renderedMarkdown"><p>Expand related entities</p></div><div class="parameter__enum renderedMarkdown"><p><i>Available values</i> : *, Sensor</p></div></td></tr></tbody></table></div></div><!-- react-text: 1176 --><!-- /react-text --></div><div class="execute-wrapper"></div><div class="responses-wrapper"><div class="opblock-section-header"><h4>Responses</h4></div><div class="responses-inner"><table class="responses-table"><thead><tr class="responses-header"><td class="col col_header response-col_status">Code</td><td class="col col_header response-col_description">Description</td><td class="col col_header response-col_links">Links</td></tr></thead><tbody><tr class="response " data-code="200"><td class="col response-col_status">200</td><td class="col response-col_description"><div class="response-col_description__inner"><div class="renderedMarkdown"><p>Retrieved entities</p></div></div><div class="response-content-type controls-accept-header"><div class="content-type-wrapper "><select class="content-type"><option value="application/json">application/json</option></select></div><small><!-- react-text: 1199 -->Controls <!-- /react-text --><code>Accept</code><!-- react-text: 1201 --> header.<!-- /react-text --></small></div><div><ul class="tab"><li class="tabitem active"><a class="tablinks" data-name="example">Example Value</a></li><li class="tabitem"><a class="tablinks" data-name="model">Model</a></li></ul><div><div><div class="highlight-code"><pre class="example microlight"><span style="">{</span><span style="color: #555; font-weight: bold;">
  </span><span style="color: #555;">"value"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="">[</span><span style="color: #555; font-weight: bold;">
    </span><span style="">{</span><span style="color: #555; font-weight: bold;">
      </span><span style="color: #555;">"Id"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"Guid (identifier)"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
      </span><span style="color: #555;">"Value"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"Double"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
      </span><span style="color: #555;">"ReadTimeUtc"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"DateTimeOffset (timestamp)"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
      </span><span style="color: #555;">"Sensor"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="">{</span><span style="color: #555; font-weight: bold;">
        </span><span style="color: #555;">"@odata.type"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"DataApi.Models.Sensor"</span><span style="color: #555; font-weight: bold;">
      </span><span style="">}</span><span style="color: #555; font-weight: bold;">
    </span><span style="">}</span><span style="color: #555; font-weight: bold;">
  </span><span style="">]</span><span style="color: #555; font-weight: bold;">
</span><span style="">}</span></pre></div></div></div></div></td><td class="col response-col_links"><i>No links</i></td></tr><tr class="response " data-code="default"><td class="col response-col_status">default</td><td class="col response-col_description"><div class="response-col_description__inner"><div class="renderedMarkdown"><p>error</p></div></div><div class="response-content-type"><div class="content-type-wrapper "><select class="content-type"><option value="application/json">application/json</option></select></div></div><div><ul class="tab"><li class="tabitem active"><a class="tablinks" data-name="example">Example Value</a></li><li class="tabitem"><a class="tablinks" data-name="model">Model</a></li></ul><div><div><div class="highlight-code"><pre class="example microlight"><span style="">{</span><span style="color: #555; font-weight: bold;">
  </span><span style="color: #555;">"error"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="">{</span><span style="color: #555; font-weight: bold;">
    </span><span style="color: #555;">"code"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
    </span><span style="color: #555;">"message"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
    </span><span style="color: #555;">"target"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
    </span><span style="color: #555;">"details"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="">[</span><span style="color: #555; font-weight: bold;">
      </span><span style="">{</span><span style="color: #555; font-weight: bold;">
        </span><span style="color: #555;">"code"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
        </span><span style="color: #555;">"message"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="">,</span><span style="color: #555; font-weight: bold;">
        </span><span style="color: #555;">"target"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="color: #555;">"string"</span><span style="color: #555; font-weight: bold;">
      </span><span style="">}</span><span style="color: #555; font-weight: bold;">
    </span><span style="">]</span><span style="">,</span><span style="color: #555; font-weight: bold;">
    </span><span style="color: #555;">"innererror"</span><span style="">:</span><span style="color: #555; font-weight: bold;"> </span><span style="">{</span><span style="">}</span><span style="color: #555; font-weight: bold;">
  </span><span style="">}</span><span style="color: #555; font-weight: bold;">
</span><span style="">}</span></pre></div></div></div></div></td><td class="col response-col_links"><i>No links</i></td></tr></tbody></table></div></div></div><!-- react-text: 1235 --> <!-- /react-text --></div></div></span><span><div class="opblock opblock-post" id="operations-DataPoints\.DataPoint-DataPoints\.DataPoint\.CreateDataPoint"><div class="opblock-summary opblock-summary-post"><span class="opblock-summary-method">POST</span><span class="opblock-summary-path"><a class="nostyle"><span>/DataPoints</span></a></span><div class="opblock-summary-description">Add new entity to DataPoints</div><button class="authorization__btn unlocked" aria-label="authorization button unlocked"><svg width="20" height="20"><use href="#unlocked" xlink:href="#unlocked"></use></svg></button><!-- react-empty: 133 --></div><noscript></noscript></div></span><span><div class="opblock opblock-get" id="operations-DataPoints\.DataPoint-DataPoints\.DataPoint\.GetDataPoint"><div class="opblock-summary opblock-summary-get"><span class="opblock-summary-method">GET</span><span class="opblock-summary-path"><a class="nostyle"><span>/DataPoints({Id})</span></a></span><div class="opblock-summary-description">Get entity from DataPoints by key</div><button class="authorization__btn unlocked" aria-label="authorization button unlocked"><svg width="20" height="20"><use href="#unlocked" xlink:href="#unlocked"></use></svg></button><!-- react-empty: 146 --></div><noscript></noscript></div></span><span><div class="opblock opblock-patch" id="operations-DataPoints\.DataPoint-DataPoints\.DataPoint\.UpdateDataPoint"><div class="opblock-summary opblock-summary-patch"><span class="opblock-summary-method">PATCH</span><span class="opblock-summary-path"><a class="nostyle"><span>/DataPoints({Id})</span></a></span><div class="opblock-summary-description">Update entity in DataPoints</div><button class="authorization__btn unlocked" aria-label="authorization button unlocked"><svg width="20" height="20"><use href="#unlocked" xlink:href="#unlocked"></use></svg></button><!-- react-empty: 159 --></div><noscript></noscript></div></span><span><div class="opblock opblock-delete" id="operations-DataPoints\.DataPoint-DataPoints\.DataPoint\.DeleteDataPoint"><div class="opblock-summary opblock-summary-delete"><span class="opblock-summary-method">DELETE</span><span class="opblock-summary-path"><a class="nostyle"><span>/DataPoints({Id})</span></a></span><div class="opblock-summary-description">Delete entity from DataPoints</div><button class="authorization__btn unlocked" aria-label="authorization button unlocked"><svg width="20" height="20"><use href="#unlocked" xlink:href="#unlocked"></use></svg></button><!-- react-empty: 172 --></div><noscript></noscript></div></span><!-- react-text: 174 --> <!-- /react-text --></div>

When I click on the authorize button the dialog is empty (besides the title), and the "try it out" experience doesn't list the authorization header as required even though trying it responds a 401 authenticate.
Let me know if you need anything else.
Thanks again for the continuous support!

[PerthCharern]

​I would like to see the OpenAPI Document that is generated (the one the UI is rendering).

Basically, the output of your line here:

var outputYAML = document.SerializeAsYaml(OpenApiSpecVersion.OpenApi3_0);

Could you provide that? If we can confirm that all the info is in the doc, then it's a Swagger UI problem. If the info is not in the doc, then it's our library's problem.

[baywet]

Let me know if you need anything else.
swagger.zip

[PerthCharern]

The security section and the components/securitySchemes section look compliant to the spec to me. There are some other issues with your document (some parameters have the same name), but it should not cause the behavior you described.

My best guess would be that Swagger UI has some issues with OpenIdConnect, or that whatever is hosted in your localhost openIdConnect URL is not in the correct format recognized by Swagger UI.

[darrelmiller]

@baywet Just a FYI regarding your sample,

var secScheme = new OpenApiSecurityScheme()
            {
                OpenIdConnectUrl = new Uri($"{authServiceBaseUrl}/.well-known/openid-configuration"),
                BearerFormat = "JWT",
                Scheme = "bearer",
                In = ParameterLocation.Header,
                Name = "Authorization",
                Type = SecuritySchemeType.OpenIdConnect,
                Flows = new OpenApiOAuthFlows
                {
                    Implicit = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                        TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                        Scopes = new Dictionary<string, string>
                                    {
                                        {"datapoints.read", "Read DataPoints" },
                                    }
                    }
                }
            };
            document.Components.SecuritySchemes.Add("openIdConnect", secScheme);
            document.SecurityRequirements = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference()
                            {
                                Type = ReferenceType.SecurityScheme,
                                Id = "openIdConnect"
                            }
                        }
                        ,
                        new List<string>
                        {
                            "datapoints.read",
                        }
                    }
                }
            };

The problem above is that you now have two instances of OpenApiSecurityScheme when really you only want one. Ideally what you should do is create the component with the reference to itself and marked as "resolved" and then use that object instance in your SecurityRequirement dictionary.

var secScheme = new OpenApiSecurityScheme()
            {
                OpenIdConnectUrl = new Uri($"{authServiceBaseUrl}/.well-known/openid-configuration"),
                BearerFormat = "JWT",
                Scheme = "bearer",
                In = ParameterLocation.Header,
                Name = "Authorization",
                Type = SecuritySchemeType.OpenIdConnect,
                Flows = new OpenApiOAuthFlows
                {
                    Implicit = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                        TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                        Scopes = new Dictionary<string, string>
                                    {
                                        {"datapoints.read", "Read DataPoints" },
                                    }
                    }
                }, 
                 Reference = new OpenApiReference()
                            {
                                Type = ReferenceType.SecurityScheme,
                                Id = "openIdConnect"
                            },
                 UnresolvedReference = false
               };
            document.Components.SecuritySchemes.Add("openIdConnect", secScheme);
            document.SecurityRequirements = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    {
                       secScheme 
                        ,
                        new List<string>
                        {
                            "datapoints.read",
                        }
                    }
                }
            };

I realize that is ugly as sin. I'd love to create some kind of helper method to make this ugliness go away. I'm also a bit surprised that your object model renders properly.

I'll ping Ron and ask if SwaggerUI is supposed to work with OpenIdConnect.

[darrelmiller]

I just received confirmation that SwaggerUI does not yet support OpenIdConnect. They haven't had much demand for it yet.

[PerthCharern]

@darrelmiller I think @baywet has already changed his security scheme object to only contain openIdConnect-related stuff as suggested by the spec, so the creation of the object will look a bit less complicated.

Thanks for confirming the Swagger UI issue.

[baywet]

Hey @darrelmiller thanks for joining the discussion and helping out! @PerthCharern thanks for the continuous support.
So I switched to OAuth2 instead and it works like a charm!
I'll add my code bellow for reference purposes if it can help others.
I have one remaining question: from a reference purposes my api documentation states it supports oauth2 token from an implicit flow (see security node bellow), should I also add the openidconnect to say "hey you can also auth using openidconnect"?

"securitySchemes": {
      "oauth": {
        "type": "oauth2",
        "flows": {
          "implicit": {
            "authorizationUrl": "https://localhost:44378/connect/authorize",
            "tokenUrl": "https://localhost:44378/connect/token",
            "scopes": {
              "sensors.read": "Read Sensors",
              "sensors.readwrite": "Read and Write Sensors",
              "datapoints.read": "Read DataPoints",
              "datapoints.readwrite": "Read and Write DataPoints",
              "sensortypes.read": "Read Sensor Types",
              "sensortypes.readwrite": "Read and Write Sensor Types",
              "devices.read": "Read Devices",
              "devices.readwrite": "Read and Write Devices",
              "sites.read": "Read Sites",
              "sites.readwrite": "Read and Write Sites",
              "tenant.basic": "Read basic Tenant Information"
            }
          }
        }
      }
    }

For reference, code in the documentation generation

var secScheme = new OpenApiSecurityScheme()
            {
                Type = SecuritySchemeType.OAuth2,
                BearerFormat = "JWT",
                Scheme = "bearer",
                In = ParameterLocation.Header,
                Name = "Authorization",
                Flows = new OpenApiOAuthFlows
                {
                    Implicit = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                        TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                        Scopes = new Dictionary<string, string>
                                    {
                                        {"sensors.read", "Read Sensors"},
                                        {"sensors.readwrite", "Read and Write Sensors"},
                                        {"datapoints.read", "Read DataPoints" },
                                        {"datapoints.readwrite", "Read and Write DataPoints"},
                                        {"sensortypes.read", "Read Sensor Types"},
                                        {"sensortypes.readwrite", "Read and Write Sensor Types"},
                                        {"devices.read", "Read Devices"},
                                        {"devices.readwrite", "Read and Write Devices"},
                                        {"sites.read", "Read Sites"},
                                        {"sites.readwrite", "Read and Write Sites"},
                                        {"tenant.basic", "Read basic Tenant Information"}
                                    }
                    }
                }
            };
            document.Components.SecuritySchemes.Add("oauth", secScheme);

Code for Identity server 4 to generate coresponding client

new Client { // client for the api documentation
                    ClientId = "swagger",
                    ClientName = "SenseAPI Documentation",
                    AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,
                    AllowAccessTokensViaBrowser = true,
                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.Email,
                        "role",
                        "sensors.read",
                        "sensors.readwrite",
                        "datapoints.read",
                        "datapoints.readwrite",
                        "sensortypes.read",
                        "sensortypes.readwrite",
                        "devices.read",
                        "devices.readwrite",
                        "sites.read",
                        "sites.readwrite",
                        "tenant.basic"
                    },
                    RedirectUris = new List<string> {
                        "https://localhost:44374/oauth2-redirect.html"
                    },
                    PostLogoutRedirectUris = new List<string> { "https://localhost:44374/signout" },
                    ClientSecrets = new List<Secret>
                    {
                        new Secret("somesecret")
                    }
                }

Code of the swaggerUI options to leverage that client

options.OAuthAppName("Swagger");
                    options.OAuthClientId("swagger");
                    options.OAuthClientSecret("somesecret");

[PerthCharern]

Thanks @baywet

For your Security Scheme object, I don't think you should have the extraneous properties:

var secScheme = new OpenApiSecurityScheme()
            {
                Type = SecuritySchemeType.OAuth2,
                Flows = new OpenApiOAuthFlows
                {
                    Implicit = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri($"{authServiceBaseUrl}/connect/authorize"),
                        TokenUrl = new Uri($"{authServiceBaseUrl}/connect/token"),
                        Scopes = new Dictionary<string, string>
                                    {
                                        {"sensors.read", "Read Sensors"},
                                        {"sensors.readwrite", "Read and Write Sensors"},
                                        {"datapoints.read", "Read DataPoints" },
                                        {"datapoints.readwrite", "Read and Write DataPoints"},
                                        {"sensortypes.read", "Read Sensor Types"},
                                        {"sensortypes.readwrite", "Read and Write Sensor Types"},
                                        {"devices.read", "Read Devices"},
                                        {"devices.readwrite", "Read and Write Devices"},
                                        {"sites.read", "Read Sites"},
                                        {"sites.readwrite", "Read and Write Sites"},
                                        {"tenant.basic", "Read basic Tenant Information"}
                                    }
                    }
                }
            };
            document.Components.SecuritySchemes.Add("oauth", secScheme);

And regarding adding something to signify that this works with openIdConnect, the spec doesn't really provide an explicit way to do that. Adding openIdConnectUrl when flows is still present seems to violate the spec (though this is somewhat ambiguous as well). The (theoretical) impact would be that tools may not understand how to interpret this correctly and causes an issue with your oAuth flows as well.

If you want this info to be somewhere in the doc, maybe you can extend it with an extension, i.e. add x-openIdConnectUrl as an extension property. Of course, the standard tools out there would still not be able to render it, but at least this doc will conform to the spec, and the tool should be able to render the oAuth flows correctly without any ambiguity.

[baywet]

Thanks! I updated that as well, still works perfect.
Ok for the OIDC thing, I think I'll leave my open API doc with OAuth documented and add the OIDC support in the general documentation (outside of open API) for the front end team.
Big thanks to you @PerthCharern and @darrelmiller for the support on that! I'll close the issue now.