Authorization header not sent using "try it out", with SecuritySchemes Basic

[taciosd]

Q&A (please complete the following information)

• OS: Ubuntu 18.10
• Browser: Firefox 60.5.1
• swagger-ui-3.24.0
• Swagger/OpenAPI version: OpenAPI 3.0.1
  Using Swagger-ui through org.webjars.swagger-ui:3.24.0 fork that is used by gradle-swagger-generator-plugin:2.15.1

Content & configuration

openapi: 3.0.1
info:
  title: xxx
  description: yyy
  contact:
    email: a@b.com.br
  version: "1.0"
externalDocs:
  description: Something
  url: https://someurl.com.br
servers:
- url: http://dsv:7422/
  description: DSV
  variables: {}
- url: http://qld:7422/
  description: QLD
  variables: {}
- url: http://hmg:7422/
  description: HMG
  variables: {}
tags:
- name: Bloco
paths:
  /blocks/query:
    get:
      tags:
      - Bloco
      summary: Something
      description: SomeDescription
      operationId: getBlocks
      parameters:
      - name: anpBlockType
        in: query
        description: queryparamDescription
        schema:
          type: string
      responses:
        "200":
          description: Sucess!
      security:
      - myLdapAuth: []
components:
  securitySchemes:
    myLdapAuth:
      type: http
      scheme: basic

Screenshots

How can we help?

The swagger page shows this curl command for the operation "query":
curl -X GET "http://dsv:7422/blocks/query?anpBlockType=prod" -H "accept: application/json" -H "Authorization: Basic "

Bu when it sends the request it sends with no Authorization header:

Host: dsv:7422
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: http://dsv:7422
Connection: keep-alive

I'm generating the openapi.yaml with java annotations.

Do you know what is wrong?

[webron]

Have you provided your basic auth credentials in the UI? (Using the Authorize button or the lock icon next to the operation)

[hkosova]

Those HTTP headers seem to be from a preflight OPTIONS request (part of CORS checking process) and not from the actual GET request. What is the response to that OPTIONS request?

[taciosd]

Have you provided your basic auth credentials in the UI? (Using the Authorize button or the lock icon next to the operation)

Hi @webron . Yes, I provided the auth credentials through the Authorize button before trying to execute the request.

[webron]

@taciosd take a look at @hkosova's comment. When I try your API definition, I don't encounter the same issue...

[taciosd]

@webron @hkosova Thank you for the fast feedback. You are right, my server isn't dealing with CORS requests in the proper way. I made some tests here and that is the issue.
I will close this issue. Thank you again!