You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add "Client credentials location" combo box to "clientCredentials" OAuth flow authorization dialog instead of making the aforementioned control exclusive to password flow
#9711
Open
alexander-sil opened this issue
Mar 18, 2024
· 0 comments
· May be fixed by #9730
app.UseSwagger(c =>{ c.RouteTemplate ="openapi/{documentName}/openapi.json";}).UseSwaggerUI(c =>{// set route prefix to openapi, e.g. http://localhost:8080/openapi/index.html c.RoutePrefix ="openapi";//TODO: Either use the SwaggerGen generated OpenAPI contract (generated from C# classes) c.SwaggerEndpoint("/openapi/1.0-oas3/openapi.json","API для интеграции сервиса Яндекс.Еда");//TODO: Or alternatively use the original OpenAPI contract that's included in the static files// c.SwaggerEndpoint("/openapi-original.json", "API для интеграции сервиса Яндекс.Еда Original");});
Is your feature request related to a problem?
Yes.
My use case requires implementing a Web API utilising OAuth authentication using client credentials grant flow with the credential data (client_id, client_secret, scope and grant_type) passed via request body.
Currently, the Swagger UI OAuth authorization dialog sends auth request to the TokenEndpoint with the client_id and client_secret contained in encoded form inside an Authorization header with Basic prefix, while scope and grant_type are transmitted via application/x-www-form-urlencoded JSON POST request body, as should be the case with the former.
It is infeasible to implement credential transmission via headers due to the fact that my client, access to which is unavailable for partners, does not strictly adhere to RFC standard described in#6125.
It is necessary for my endpoint to provide a JWT Bearer token by receiving OAuth credentials via application/x-www-form-urlencoded JSON POST request body, and there is no workarounds for the current version of the swagger-ui package.
Describe the solution you'd like
To put it explicitly, I would like to introduce an combo box to determine whether client credentials should be sent in a JSON request body, rather than sending the ID and secret in the headers or by other RFC-compliant means, into the authorization dialog for clientCredentials authentication flow, similar to a dropdown found in the password flow's authorization window.
This way I would make sure the Swagger UI authorization middleware successfully retrieves the token by sending credentials in the request JSON body content, along with scope and grant_type, in turn seamlessly authenticating the API's AuthorizeAttribute-locked endpoints.
Describe alternatives you've considered
I have not considered alternatives that severely impact the development workflow by integrating less seamless methods of authorization. This goes against principles of best practice in enterprise information technologies.
The text was updated successfully, but these errors were encountered:
Swashbuckle.AspNetCore v6.5.0
6.5.0
as per NuGetDuplicate of #9127 and #6125 to make sure the feature is implemented. Issue similar to #4533.
Content & configuration
Swagger/OpenAPI definition:
Swagger-UI configuration options:
Is your feature request related to a problem?
Yes.
My use case requires implementing a Web API utilising OAuth authentication using client credentials grant flow with the credential data (
client_id
,client_secret
,scope
andgrant_type
) passed via request body.Currently, the Swagger UI OAuth authorization dialog sends auth request to the
TokenEndpoint
with theclient_id
andclient_secret
contained in encoded form inside anAuthorization
header withBasic
prefix, whilescope
andgrant_type
are transmitted viaapplication/x-www-form-urlencoded
JSON POST request body, as should be the case with the former.It is infeasible to implement credential transmission via headers due to the fact that my client, access to which is unavailable for partners, does not strictly adhere to RFC standard described in #6125.
It is necessary for my endpoint to provide a JWT Bearer token by receiving OAuth credentials via
application/x-www-form-urlencoded
JSON POST request body, and there is no workarounds for the current version of theswagger-ui
package.Describe the solution you'd like
To put it explicitly, I would like to introduce an combo box to determine whether client credentials should be sent in a JSON request body, rather than sending the ID and secret in the headers or by other RFC-compliant means, into the authorization dialog for
clientCredentials
authentication flow, similar to a dropdown found in thepassword
flow's authorization window.This way I would make sure the Swagger UI authorization middleware successfully retrieves the token by sending credentials in the request JSON body content, along with
scope
andgrant_type
, in turn seamlessly authenticating the API'sAuthorizeAttribute
-locked endpoints.Describe alternatives you've considered
I have not considered alternatives that severely impact the development workflow by integrating less seamless methods of authorization. This goes against principles of best practice in enterprise information technologies.
The text was updated successfully, but these errors were encountered: