Open
Description
- OS: All
- Browser: Firefox
- Method of installation: dist package
- Swagger-UI version: 3.37.1
- Swagger/OpenAPI version: OpenAPI 3.0
Query is regarding using OIDC in Swagger UI. Swagger UI is hosted on Liberty server. The server has oidcClient configured and a REST API gives all the information regrading client credentials, redirect url etc. With the current implementation it seems that it takes the discovery url and the user is supposed to enter the credentials. But it might not be known to all the users. What I need is that Swagger UI takes the credentials from the server and then redirects directly to the login page of OIDC. Can anyone please help with this?
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Participants
Activity
trickert76 commentedon Sep 2, 2021
Is this secured? Should there be a "service" that exposes the client secret of a OIDC client. It is called secret and the Swagger UI is Javascript and runs inside the users scope where the client secret should not be known to the user. Also the ability to load a secret from a server - this would be a public reachable URL and so everybody can read the content.
In other words - the Swagger UI is a separate "public" client in the OIDC realm which doesn't need a secret.
Mathias02 commentedon Mar 24, 2025
[BANSAL-PALLAVI]: It's been a while for this Pull Request. If I understand is that the user credentials exposed with the current implementation?
trickert76 commentedon Apr 1, 2025
It's bad practice to store client credentials in the HTML/JS page and expose it to any user that can reach that page. For dev environments maybe ok, but not in general. I would expect something like a public client config (which doesnt require a secret) that uses allowed redirects on OIDC service side. There are many examples out there, like https://www.keycloak.org/securing-apps/javascript-adapter. The line 42 with clientSecret is marked as optional, but I would just remove it and then it's ok.