Authorization Header not getting displayed in CURL

[shivaprasad573]

I am trying to use the Authorization header in the swagger latest version.
You can try the above YAML configuration in Swagger Editor.

You can observe that the Authorization header which I added in the header section is not included in the CURL command.

openapi.txt

Help me to add an Authorization header into my API.

[webron]

The specification does not allow explicitly adding Authorization header. For more information, please read https://swagger.io/docs/specification/describing-parameters/#header-parameters.

[hkosova]

The Authorization header needs to be defined as a security scheme. In your example it should look like this:

components:
  securitySchemes:
    auth:
      type: apiKey
      in: header
      name: Authorization

security:
  - auth: []

[shivaprasad573]

Thanks for your reply @hkosova , but the above approach didn't work for me. Find the screenshot for more details. and let me know what I am missing in it.

[hkosova]

@shivaprasad573 you need to remove the Authorization header from parameters. Then in the UI panel, click the green "Authorize" button at the top (this button is added by the security scheme) and enter the value for the Authorization header. Then test the request again.

[shivaprasad573]

Thanks, @hkosova and it worked:), but in my use-case should remove that Authorize Button in the top(I should not use it) so that I want to pass/send Authorization header and it's value from YAML code only.
Can you help me with this?

[hkosova]

Could you please clarify what you mean by "pass ... value from YAML code only"?

[shivaprasad573]

Sure @hkosova , in my use-case, My application will generate one Key and that Key I have to send as Authorization header.

[shivaprasad573]

@hkosova / @webron / @shockey please can you provide some solution to this issue?

[ffroliva]

A sample code that works.

@Configuration
public class OpenApiConfig {

    private static final String API_KEY = "apiKey";

    @Bean
    public OpenAPI customOpenAPI() {
        return new OpenAPI()
                .components(new Components()
                        .addSecuritySchemes(API_KEY,apiKeySecuritySchema())) // define the apiKey SecuritySchema
                .info(new Info().title("Title API").description(
                        "RESTful services documentation with OpenAPI 3."))
                .security(Collections.singletonList(new SecurityRequirement().addList(API_KEY))); // then apply it. If you don't apply it will not be added to the header in cURL
    }

    public SecurityScheme apiKeySecuritySchema() {
        return new SecurityScheme()
                .name(Constants.AUTHORISATION_TOKEN) // authorisation-token
                .description("Description about the TOKEN")
                .in(SecurityScheme.In.HEADER)
                .type(SecurityScheme.Type.APIKEY);
    }


}

[Sathyananth]

Thought, it may help someone who are facing same problem.
For adding authorization header to CURL, add annotation @Securityscheme with type, name, scheme... to the class and add @securityrequirement annotation with the same name to the method or to the class itself. You need to create authorization before try out, using button "Authorize" in the swagger html page.

@SecurityScheme(type = SecuritySchemeType.HTTP, scheme = "basic", name = "Authorization") public class ClassName { @GET @SecurityRequirement(name = AUTHORIZATION) public Response methodName() { .... } }

[amitrajitbose]

Thanks @Sathyananth . It worked 👍🏼

[jjmin321]

Thanks a lot @Sathyananth

[rick-ame]

I saw this issue is still open, I ran into the same problem recently because of tech debt, routes use several auth strategies and global auth is so inconvenient. I added a plugin to the swagger-ui and solved this problem. (tested on swagger 3.x, 4.x)

export default function() {
    let authorization;

    return {
        statePlugins: {
            spec: {
                wrapActions: {
                    executeRequest: (ori) => (req) => {
                        const { parameters } = req;
                        const auth = parameters['header.Authorization'] || parameters['header.authorization'];

                        authorization = auth;

                        return ori(req);
                    },
                    setMutatedRequest: (ori) => (path, method, req) => {
                        if (authorization) {
                            /**
                             * Because of `let parsedMutatedRequest = Object.assign({}, mutatedRequest)` in source,
                             * Change parsedMutatedRequest nested value affects mutatedRequest because of shallow copy.
                             * Another way is to use `requestInterceptor`
                             */
                            req.headers.Authorization = authorization;
                            authorization = undefined;
                        }
                        return ori(path, method, req);
                    }
                }
            }
        }
    };
}

SwaggerUI({
    ...
    plugins: [
        ...
        the_plugin
    ],
    ...
});

You should be aware what your are doing to use this method because this is against the standard. By the way, this hides the global auth.

The Authorization header is filtered here https://github.com/swagger-api/swagger-js/blob/master/src/execute/oas3/parameter-builders.js#L68 and the plugin just adds it back.