OAuth "realm" option unclear

[ankon]

In index.html the initOAuth function from swagger-oauth.js requires a realm option. I couldn't find any documentation on this parameter, and it seems to be used only as a parameter for the initial authorization request. There seems to be no specification on the oauth side though for this parameter, the only mention I could find was that a provider might use a realm attribute in the WWW-Authenticate header.

With that: what was the intent of this parameter, and, could it maybe just be dead code that can be removed?

[ecosgrave]

The OAuth2 spec doesn't use realm but some authorization servers do recognize it as a way of identifying the resource being accessed; likely a relic of SAML based token issuance. Azure's ACS had the concept of realm for example.

The intent is to identify the resource the caller wants to access. To use OAuth2 with Azure Active Directory (AAD) I'd to switch the realm query parameter to resource as that is what AAD expects. Same concept, just a different name.

Neither the realm nor resource parameters are part of the OAuth spec. so not really a bug, but not useful either. I can confirm that changing realm to resource when constructing the token URL in swagger-oauth.js allows Swagger UI to work with the AAD OAuth flow (though not in IE).

[fehguy]

Please reopen if there's still an issue here, it seems like the request is for non oauth2 calls.

[gambrose]

If realm is not part of oauth2 spec and only recognized by some authorization servers why does swagger ui require it to be present?

Sorry to be reopening an old issue but having been struggling to work out the meaning of the realm in my scenario. I think that realm being required is what made me think it was more important than it is.

[RehanSaeed]

realm seems to be a required parameter when it should really be optional. I'm just passing a - for it's value as a workaround. I'm also having to manually provide a resource parameter and value.