Nswag: Support for Authorization code flow with PKCE ?

It looks like this is now supported in Swagger UI as of 8 October:

https://github.com/swagger-api/swagger-ui/pull/5361#issuecomment-539259962

I wanted to do a pull request on this. But I'm unsure about upgrading the bundled swagger-ui files. I've done an analysis of what needs to be done.

1. Upgrade bundled swagger-ui (Swagger UI 3 only)
2. Add configuration property UsePkceWithAuthorizationCodeGrant
3. Template the property into index.html

2

https://github.com/RicoSuter/NSwag/blob/1a6c959bdb41b41f2f534d3e61a311f1cf0de6f7/src/NSwag.AspNetCore/OAuth2ClientSettings.cs#L18

/// <summary>Proof Key for Code Exchange. Only applies to `accessCode` flow. Supported in SwaggerUI 3.</summary>
public bool UsePkceWithAuthorizationCodeGrant { get; set; }

3

https://github.com/RicoSuter/NSwag/blob/1a6c959bdb41b41f2f534d3e61a311f1cf0de6f7/src/NSwag.AspNetCore/SwaggerUi3/index.html#L87

usePkceWithAuthorizationCodeGrant: {UsePkceWithAuthorizationCodeGrant}

NOTE: SwaggerUi3Settings.TransformHtml code will do the actual job of inserting the property into index.html.

Can you create a PR? I’ll update swagger ui 3

Sure, I have actually figured out how to update the swagger-ui library. I will do some testing and make a PR.

Good day,
First of all I'd like to thank you all for working on such a great project.
I was wondering if there is any idea when this might be included in a future release?
I was hoping to use it for a project I'm working on right now and this feature was merged after the most recent NuGet package release. Thanks!

I’ll publish a new version next week

That would be perfect. Thanks!

I took latest version of NSwag.AspNet.Owin v13.1.5 to work with PKCE code flow using SwaggerUi3 extension. However I ended up with code_challenge is missing error.

Looking at the latest version of NSwag.AspNet.Owin v13.1.5 is still not supported with PKCE however its only available in NSwag.AspNetCore as of now.

Please let me know when it will be available in NSwag.AspNet.Owin package.

I upgraded the NuGet package and it works like a charm. A couple of properties need to be set.

OAuth2ClientSettings.UsePkceWithAuthorizationCodeGrant = true and

services.AddOpenApiDocument(options =>
 {
    options.DocumentProcessors.Add(new SecurityDefinitionAppender("Bearer", Enumerable.Empty<string>(),
                    new OpenApiSecurityScheme
                    {
                        Type = OpenApiSecuritySchemeType.OAuth2,
                        Flow = OpenApiOAuth2Flow.AccessCode
                    }));
            });

Hi espenrl, my application is AspNet OWIN based application (not AspNetCore). My app references NSwag.AspNet.Owin v13.1.5 pakage.

I setup swagger using NSwag IAppBuilder.UseSwaggerUi3 extension like below:

app.UseSwaggerUi3(
                webApiAssembly,
                settings =>
                {
                    settings.GeneratorSettings.DefaultPropertyNameHandling = PropertyNameHandling.CamelCase;
                    settings.GeneratorSettings.Title = appName;

                    settings.GeneratorSettings.IsAspNetCore = false;

                    settings.OAuth2Client = new OAuth2ClientSettings
                    {
                        ClientId = clientId, 
                        AppName = appName,
                        AdditionalQueryStringParameters =
                        {
                            {"audience", audience}
                        },
                        UsePkceWithAuthorizationCodeGrant = true
                    };

                    settings.GeneratorSettings.OperationProcessors.Add(
                        new OperationSecurityScopeProcessor("bearer"));

                    settings.GeneratorSettings.DocumentProcessors.Add(new SecurityDefinitionAppender("bearer",
                        new OpenApiSecurityScheme()
                        {
                            Type = OpenApiSecuritySchemeType.OAuth2,
                            Flow = OpenApiOAuth2Flow.AccessCode,
                            Scopes = new Dictionary<string, string> {{audience, audience}},
                            AuthorizationUrl = authorizationUrl,
                            TokenUrl = tokenUrl
                        }));
                });

The code modification is specific for ASP.NET Core. The same code will have to be replicated for ASP.NET. See https://github.com/RicoSuter/NSwag/pull/2480

I do not have a setup for ASP.NET on my computers. I have abandoned those hefty SDKs.

If you find usePkceWithAuthorizationCodeGrant: true in /swagger/index.html source then third party SwaggerUI is in control and it should work.

I've updated the Swagger UI version in NSwag.AspNet.Owin but the other changes are not made. I personally dont use ASP.NET anymore and do not support it. Please create a PR with the same changes as the ASP.NET Core one.

Hi Espenrl/RicoSuter, thank you for your quick reply. I've a very limited knowledge on this to do PR. I will create a PR when I figured it out how to do this. Thank you for the all the hard work and bringing this very useful package to us.

I have managed to create PR for NSwag.AspNet.Owin PKCE support
See https://github.com/RicoSuter/NSwag/pull/2546

Hey I've just found this thread and done all that is quoted below but swagger still isn't performing a PKCE flow, only code.

I upgraded the NuGet package and it works like a charm. A couple of properties need to be set.

OAuth2ClientSettings.UsePkceWithAuthorizationCodeGrant = true and

services.AddOpenApiDocument(options =>
 {
    options.DocumentProcessors.Add(new SecurityDefinitionAppender("Bearer", Enumerable.Empty<string>(),
                    new OpenApiSecurityScheme
                    {
                        Type = OpenApiSecuritySchemeType.OAuth2,
                        Flow = OpenApiOAuth2Flow.AccessCode
                    }));
            });

Is there anything that's missing from this code that enables to flow?
For reference I'm using NSwag.AspNetCore version 13.2.2

Only supported for SwaggerUi v3 UseSwaggerUi3().

Thanks for the fast response. I'm currently using UseSwaggerUi3() and the Swagger page source contains usePkceWithAuthorizationCodeGrant: true but this still isn't performing a PKCE flow.

Well, OAuth can be quite challenging to setup correctly. Both at the client and the server. Check your server logs to see what is going on.

Thank you for the help espenrl. It turns out it was an issue on okta. The ClientId wasn't set up correctly for a PKCE flow.

Can we close this then?

Both ASP.NET and ASP.NET Core implementations are in so I guess so.

I have problems with the ASP.NET Core version. The code_challenge parameter doesn't get appended.

I've tracked it down and it seems to be a problem with flow="accessCode" vs. "authoriziationCode", see https://github.com/swagger-api/swagger-ui/blob/139592e353f47ef4f9c567a36624da386c661f17/src/core/oauth2-authorize.js#L69

... so shouldn't NSwag emit "authoriziationCode" instead of "accessCode"?

Note that I've verified that "usePkceWithAuthorizationCodeGrant: true" is emitted in index.html.

.... shit. The problem was that I used services.AddSwaggerDocument(...) instead of services.AddOpenApiDocument(...). Then NSwag indeed emits "authorizationCode" for OpenApiOAuth2Flow.AccessCode => WTF?

WTF?

AddOpenApiDocument => OpenAPI 3.0
AddSwaggerDocument => Swagger/OpenAPI 2.0

And i think 2.0 does not support Pkce