You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, the project uses the implicit flow to authorize in Swagger UI as it's the only method that works with CSRF enabled and Keycloak. To test other authorization methods, check out the Experimental Authorization configurations for Swagger UI section in project's README.md.
How can we help?
The only Swagger UI config that works is for the implicit flow. However, as we can read in the Open API specification: "Please note that as of 2020, the implicit flow is about to be deprecated by OAuth 2.0 Security Best Current Practice. Recommended for most use case is Authorization Code Grant flow with PKCE." (see Security Scheme Object).
At the moment, the Swagger configs in the example project for the OpenID Connect Discovery scheme, the Authorization Code and Password flows won't work with Spring Boot csrf protection enabled for Springdoc. To see Available authorizations I have to disable Springdoc CSRF support which breaks POST endpoints. Otherwise, the Available authorizations list is empty as shown on the following screenshot (for the OpenId Connect Discovery security scheme):
It seems that Swagger adds the X-XSRF-TOKEN to the request when asking for the openid-configuration which is not accepted by Keycloak:
Access to fetch at 'http://127.0.0.1:8024/auth/realms/Spring-Boot-Example/.well-known/openid-configuration' from origin 'http://localhost:8080' has been blocked by CORS policy: Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response.
I want to keep the CSRF protection enabled in my Spring Boot API (and Springdoc) as I'm planning to serve frontend with Angular. Furthermore, in the The OAuth 2.0 Authorization Framework specification we can read: "The client MUST implement CSRF protection" (see https://datatracker.ietf.org/doc/html/rfc6749#section-10.12).
My main question is: Is there a way to replace the implicit flow in Swagger UI but keep CSRF protection in my API?
Related issues
The problem was already raised in other places but no solution or in-depth discussion was provided:
Q&A (please complete the following information)
org.springdoc:springdoc-openapi-ui
)Content & configuration
Swagger/OpenAPI definition:
Example project
To demonstrate my problem, I created an example Spring Boot project with a dockerized Keycloak server: Demo Spring Boot app showing Swagger UI secured with Keycloak.
The project has csrf protection enabled as configured in the SecurityConfig.java class. To make the POST request work, the project configures Springodoc to enable CSRF support.
By default, the project uses the implicit flow to authorize in Swagger UI as it's the only method that works with CSRF enabled and Keycloak. To test other authorization methods, check out the Experimental Authorization configurations for Swagger UI section in project's README.md.
How can we help?
The only Swagger UI config that works is for the
implicit
flow. However, as we can read in the Open API specification: "Please note that as of 2020, the implicit flow is about to be deprecated by OAuth 2.0 Security Best Current Practice. Recommended for most use case is Authorization Code Grant flow with PKCE." (see Security Scheme Object).At the moment, the Swagger configs in the example project for the
OpenID Connect Discovery
scheme, theAuthorization Code
andPassword
flows won't work with Spring Boot csrf protection enabled for Springdoc. To seeAvailable authorizations
I have to disable Springdoc CSRF support which breaks POST endpoints. Otherwise, theAvailable authorizations
list is empty as shown on the following screenshot (for the OpenId Connect Discovery security scheme):It seems that Swagger adds the
X-XSRF-TOKEN
to the request when asking for theopenid-configuration
which is not accepted by Keycloak:I want to keep the CSRF protection enabled in my Spring Boot API (and Springdoc) as I'm planning to serve frontend with Angular. Furthermore, in the The OAuth 2.0 Authorization Framework specification we can read: "The client MUST implement CSRF protection" (see https://datatracker.ietf.org/doc/html/rfc6749#section-10.12).
My main question is: Is there a way to replace the
implicit
flow in Swagger UI but keep CSRF protection in my API?Related issues
The problem was already raised in other places but no solution or in-depth discussion was provided:
Swagger UI: X-XSRF-TOKEN is sent to OAuth2 token url · Issue #1036 · springdoc/springdoc-openapi · GitHub
Authentication for OIDC on openapi-ui · Issue #1007 · springdoc/springdoc-openapi · GitHub and openid connect - Available authorization modal on swagger-ui is not populated for OIDC security scheme - Stack Overflow
I hope that we can explore the issue here.
The text was updated successfully, but these errors were encountered: