SwaggerUI OAuth2 clientCredentials authentication

[jochenjonc]

Q&A (please complete the following information)

• OS: Windows
• Browser: Chrome
• Version: [e.g. 22]
• Method of installation: [e.g. npm, dist assets]
• Swagger-UI version: 3.13.2
• Swagger/OpenAPI version: Swashbuckle.AspNetCore 2.4.0

Content & configuration

Example Swagger/OpenAPI definition:

"securityDefinitions":{  
      "oauth2":{  
         "flow":"application",
         "tokenUrl":"https://*****/oauth/token",
         "scopes":{  
            "read":"Read access"
         },
         "type":"oauth2"
      },
...
"security":[  
      {  
         "oauth2":[  
            "read"
         ]
      },

Swagger-UI configuration options:
None

Describe the bug you're encountering

I configured Swagger to use the oauth2 clientCredentials flow and I get the following screen in Swagger UI for authentication.

But when I fill in the client_id and client_secret and I press Authorize I get an error.

When I look at the the actual POST Swagger UI does I see the following issues.

• In the header I see Content-Type: application/x-www-form-urlencoded instead of application/json
• In the header I also have Authorization: Basic ****, but I wasn't expecting that, the client_id & client_secret should have been part of the body
• In the body I only have grant_type: client_credentials & scope: read, and I'm missing the client_id & client_secret

I think it is a bug, but maybe I'm doing something wrong?

[shockey]

Hmm, this does seem strange.

Do you have a live server I can test this against, @jochenjonc?

[jochenjonc]

@shockey I don't have a live server available

[jochenjonc]

What I'm actually trying to do is use Auth0 for authentication in Swagger.

curl --request POST \
  --url 'https://***.eu.auth0.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"client_credentials","client_id": "YOUR_CLIENT_ID","client_secret": "YOUR_CLIENT_SECRET","audience": "https://psfl.eu.auth0.com/api/v2/"}'

As you can see they use a json body to send all parameters. Is there a way to do this with swagger-ui?

[dgwaldo]

@jochenjonc Did you ever find a way around this?

Looking at the code it looks like the there isn't a simple way to do this without a modification to this class...
https://github.com/swagger-api/swagger-ui/blob/master/src/core/oauth2-authorize.js

I'm utilizing Swashbuckle with .Net Core and I can get my data onto the authConfigs object, but it does no good because oauth2-authorize.js doesn't pass that object as the json on the request...

c.OAuthAdditionalQueryStringParams(new { audience = _appConfig.Auth0Settings.Audience });

[jochenjonc]

@dgwaldo I never got around this and I just use a Bearer Token I generate via the Auth0 website.

[shockey]

Closing - sounds like this is resolved.

I don't know much about Auth0 in particular, but if anyone has observations on how we can support it better in Swagger UI, feel free to open a feature request 😄

[dgwaldo]

I did a bit of a hacky work around. http://waldoscode.blogspot.com/2018/07/using-swashbuckle-or-swagger-ui-with.html

@shockey, I think all that would be needed is for the json object being posted to allow for an audience to be passed... If I get time I might try and work something up.

[MattHartz]

Support for this would be ready nice

[soliveira]

I believe the issue is here:
https://github.com/swagger-api/swagger-ui/blob/054d450a45474cd8099622b73653349bea4ec7e9/src/core/plugins/auth/actions.js

It is missing the ClientId and ClientSecret in the form.

export const authorizeApplication = ( auth ) => ( { authActions } ) => {
  let { schema, scopes, name, clientId, clientSecret } = auth
  let headers = {
    Authorization: "Basic " + btoa(clientId + ":" + clientSecret)
  }
  let form = {
    grant_type: "client_credentials",
    scope: scopes.join(scopeSeparator)
  }

  return authActions.authorizeRequest({body: buildFormData(form), name, url: schema.get("tokenUrl"), auth, headers })
}

[shockey]

@soliveira, per the OAuth spec, client_id and client_secret shouldn't be included in the access token request body:

Quoting myself, quoting the spec:

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server [...] The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

Since Swagger UI is able to use HTTP basic to transmit the client credentials, we do that instead of including it in the request body.

See #4905 (comment) for more context.

[friendly-tech]

I am still having this issue, its an issue with not being able to pass the audience parameter in the request body that causes the error from auth0
"Non-global clients are not allowed access to APIv1"

Passing in the querystring doesn't appear to work.

Would be nice to have similar functionality as OAuthAdditionalQueryStringParams, something like OAuthAdditionalRequestParams

[shockey]

@crazyman1979, this is a resolved support ticket - please open a new issue if you're having problems!