RequestValidationError thrown in OAuth2PasswordRequestForm can't be parsed by Swagger UI

[btonasse]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi import FasAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer

app = FastAPI()

correct_user = "placeholder"
correct_pwd = "placeholder"

@app.post("/token")
async def login(form_data: Annotated[OAuth2PasswordRequestForm, Depends()]):
    if not form_data.username != correct_user or not form_data.password != correct_pwd:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", headers={"WWW-Authenticate": "Bearer"})
    return {"message": "whatever"}

Description

When using OAuth2PasswordRequestForm as a dependency, sending empty username or password will raise a RequestValidationError, which by default returns a complex object instead of a string.

The problem is that Swagger UI cannot consume this, resulting in the following:

One could argue this is a Swagger UI issue, but should an empty username or password really raise a RequestValidationError? This is an auth issue and should be handled in the auth layer of the app. So it's not really a validation issue.

Besides, nothing in the example above is custom behavior. Fastapi works like this out of the box, and it feels weird that the default, out-of-the-box behavior of the fastapi+swagger integration doesn't work quite well.

What do you think?

Operating System

Linux, Windows

Operating System Details

No response

FastAPI Version

0.112.2

Pydantic Version

2.8.2

Python Version

3.12.5

Additional Context

Here's the SO question for more details: https://stackoverflow.com/questions/78960147/objects-in-error-response-cant-be-parsed-by-swagger-ui

[YuriiMotov]

One could argue this is a Swagger UI issue, but should an empty username or password really raise a RequestValidationError? This is an auth issue and should be handled in the auth layer of the app. So it's not really a validation issue.

I disagree here. Authorization issue is when you are trying to access protected endpoint without providing appropriate token. Then you should (and will) have 401 or 403 response.
But not providing login or password to login endpoint should cause request validation error.

I think everything works correctly here. The only thing that might be improved here is that Swagger could show clearer error message instead of Error: Unprocessable Entity (i'm talking about basic code example from FastAPI's docs)

[btonasse]

Fair enough. I guess I should raise this for the swagger team