Openapi-specification: Support OAuth2 redirect URI as a first-class feature

Created on 21 Jul 2017 · 10Comments · Source: OAI/OpenAPI-Specification

When authorizing an application using OAuth2 and authorization code flow , the authorization server must redirect the user back to the application via a redirect_uri. The redirect URI is defined as optional in the RFC 6749 spec but is actually fundamental to specific flows. Attempting to authorize an application using authorization code flow without a redirect uri will simply not work with most (possibly all?) authorization servers (e.g. keycloak). Hence, for the authorization code flow, it is basically a requirement that a redirect uri also be supplied. My proposal is that redirect uri be added as an optional parameter to the oauth2 security definition so as to satisfy the ability to authorize applications as a first class concept.

This request was born out of the following discussion relating to swagger-editor / swagger-ui https://github.com/swagger-api/swagger-editor/issues/1410#issuecomment-316825266

Source

michaeljfazio

Most helpful comment

I understand the argument that redirect_uri is an application-side item, but since the Swagger UI editor creates an instant application client based on the api spec file, it needs redirect_uri to make the Oauth2 security definition work. So for practical reasons, client_id and redirect_uri should be added alongside authorizationUrl.

jamesbriggs on 3 Aug 2018

👍11

All 10 comments

As I understand it, the redirect URL is specific to a client application that has registered to have access to the API. This is a property of the client application that the Authorization server must store for each client application. I do not believe this is a value that is related to the description of the API.

darrelmiller on 21 Jul 2017

Thanks @darrelmiller. I can see how the client specified parameters don't belong in a specification for the API. Happy to close out accordingly.

michaeljfazio on 22 Jul 2017

@michaeljfazio So, how to pass the Redirect URL to achieve Authorization Code Flow within swagger

danova123 on 2 Oct 2017

👍1

Yes, how is the Redirect URL used? When I set up an OAuth2 security description with my Authorize and Token URLs, etc and attempt to Authorize the API calls I get a response indicating the following:

error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration

jdbealor on 6 Feb 2018

@jdbealor When you attempt to Authorize your API using what client tooling? This repo is just for the OpenAPI specification. It is up to the client tooling to actually implement the OAuth flow.

darrelmiller on 6 Feb 2018

Salesforce

jdbealor on 6 Feb 2018

Sorry, but I'm new to this...
From the followind definition I get to the Swagger UI "Authorize" dialog and enter my client id and secret and then the API Key. When I click the Authorize for the first part I get the redirect uri error.

securityDefinitions:
test_auth:
type: oauth2
flow: accessCode
authorizationUrl: https://test.salesforce.com/services/oauth2/authorize
tokenUrl: https://test.salesforce.com/services/oauth2/token
scopes:
write:test: "write test"
read:test: "read test"
api_key:
type: apiKey
name: api_key
in: header

jdbealor on 6 Feb 2018

😕2

@jdbealor I have the same problem!

binhosemcrause on 15 May 2018

jamesbriggs on 3 Aug 2018

👍11

Agreeing with James above, running into this problem right now with SwaggerHub and Azure B2C implicit auth flow; impossible to authenticate to test the API within SwaggerHub without redirectUrl.

Although it might be up to the tooling to implement the full flow, the ability to specify the redirectUrl should be part of the specs so that the tooling can work with it.