OAuth2 application flow losing token after authorization request has been sent with IdentityServer3

[jborn]

I'm trying to get swagger to authorize my "Client Credentials Flow"/application flow using the Swagger UI. I have a C# RESTful WebApi Service that I can test without issue via SoapUI. I capture the token request and response in Fiddler and see the token in the response. I do the same thing from the Swagger UI and also see the token in the response that was captured by Fiddler.

The Swagger UI then refreshes and I see a another request to /swagger/docs/v1 captured in Fiddler. Using Chromes developer tools I can trace the request to the Ajax request, once there I step over the Ajax request but set a breakpoint on the onOAuthComplete function in the swagger-oauth-js file. The first thing it does is check for the token, which is not set. I'm also not seeing a response in the Chrome developer tools for the token request, I can see the response/token in Fidder, not the Chrome Developer tools. (Same behavior in IE 10)

Any idea why the Response/token is being lost?

• swagger-ui version 2.2.4 via Swashbuckle version 5.4.0
• a swagger file reproducing the issue, wish I knew.

[jborn]

OK, just as I was about to move onto something else I notice a little red circle with an x in it on the Chrome Developer tools, click on that brought me to this error message:
XMLHttpRequest cannot load http://security.RogueOne.com/core/connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:62561' is therefore not allowed access.

A little research into this show that since the security.RogueOne.com does not match localhost:62561 the response cannot be parsed. The response showed a content-length of 915, so I couldn't figure out why the "Response" tab in the Chrome Developer tools didn't show anything. Firefix had this message "SyntaxError: JSON.Parse: unexpected end of data at line 1 column 1 of the JSON data" Still not very helpful.

So the server needs to send a header of "Access-Control-Allow-Origin:http://locahost:62561" but isn't. I'm using IdentityServer3 so I modified my client by adding this:

new Client { ClientName = "SwaggerUI", Enabled = true, ClientId = "swaggerUI", ClientSecrets = new List<Secret> { new Secret("BigSecretWooH00".Sha256()) }, Flow = Flows.ClientCredentials, AllowClientCredentialsOnly = true, AllowedScopes = new List<string> { "Read" }, Claims = new List<Claim> { new Claim("client_type", "headless"), new Claim("client_owner", "Portal"), new Claim("app_detail", "allow") }, PrefixClientClaims = false // Inserted lines below ,AllowedCorsOrigins = new List<string> { "http://localhost:62561/" ,"http://waportaldev.RogueOne.com" ,"https://waportaldev.RogueOne.com" } }

Subsequent tests have Swagger UI front end processing a token and everything is working!