Swagger-ui: SwaggerUI not transmitting Authorization Headers *

Created on 30 Oct 2015  路  7Comments  路  Source: swagger-api/swagger-ui

I'm trying to setup an auth system where a user sends a POST to a non-secure endpoint and receives their token(in this case a JSON web token). That token is then used for any further API calls. I can request the token just fine, but when I attempt to use it for an API_key, I find that the header is never sent.

I based my approach on this thread: https://github.com/swagger-api/swagger-ui/issues/818

The relevant code is as follows:

app.js

``` expressApp.use(middleware.swaggerSecurity({
jsonWebToken: function (req, def, scopes, callback) {
//security disabled for now
jwt('secretPassword', req, callback);
}
}));

swagger.json (POST route)

"post": {
"tags": [
"account"
],
"security": [
{
"jsonWebToken": []
}
],
"operationId": "createAccount",
"summary": "Create a new account record",
"description": "Creates a new account",
"parameters": [
{
"schema": {
"$ref": "#/definitions/account"
},
"name": "account",
"in": "body",
"required": true
}
],
"responses": {
"201": {
"description": "Account created successfully",
"schema": {
"$ref": "#/definitions/account"
}
}
}
},
}

swagger security defs:


"securityDefinitions": {
    "jsonWebToken": {
        "type": "apiKey",
        "in": "header",
        "name": "Authorization"
    }
}

index.html from swaggerUI


        function addApiKeyAuthorization(){
    var key = encodeURIComponent( $('#input_apiKey')[0].value );
    if(key && key.trim() != "") {
        var apiKeyAuth = new SwaggerClient.ApiKeyAuthorization( "Authorization", "Bearer " + key, "header" );
        window.swaggerUi.api.clientAuthorizations.add( "bearer", apiKeyAuth );
        log( "Set bearer token: " + key );
    }
  }

   $('#input_apiKey').change(addApiKeyAuthorization);

```

Upon changing the API_key in swagger UI, the console prints that a key was added. But watching my debugger, I can see that no Authorization header is present in the request when it hits the server.
If I completely remove the security section from the route, then the header successfully shows up. I am somewhat stumped because I was hoping to use swagger defs for ACL with a web token, but it looks like only the oAuth2 flow is supported for scopes/audiences.

Route decorated with security node:
noauth

Route not decorated with security node:
withauth

picture ghost

Most helpful comment

The way that I found was:
@SWG\Parameter(
in="header",
name="Authorization",
description="",
required=true,
type="string",
),

Then, I send bearer JWT-TOKEN in the input "Authorization" like: bearer eyJ0eXAiO...
Worked for me..

picture Arkanius on 5 Oct 2016
🎉2 👍2

All 7 comments

Can you try changing window.swaggerUi.api.clientAuthorizations.add( "bearer", apiKeyAuth ); with window.swaggerUi.api.clientAuthorizations.add( "jsonWebToken", apiKeyAuth );?

webron picture webron on 31 Oct 2015
👍1

You got it man, works fine now. Care to enlighten me with a quick explanation? I thought I understood what was going on, but I guess not since I totally overlooked that.

ghost picture ghost on 31 Oct 2015

Of course. The name you assign to the ApiKeyAuthorization in the javascript code needs to match the name you gave the security scheme under the swaggerDefinitions. If they're not the same, swagger-ui (or in this case swagger-js) will not be able to make the match between the two and know to send it when it is required.

webron picture webron on 31 Oct 2015

Ok, that makes perfect sense. I don't know how I overlooked that. Thanks for the help!

ghost picture ghost on 2 Nov 2015

how can i use Authorization with swager-php
I tried @SWG\Authorization but it does not work
also haw can i declarate this definition with swagger-php not json
"securityDefinitions": {
"jsonWebToken": {
"type": "apiKey",
"in": "header",
"name": "Authorization"
}
}

hamalatifa picture hamalatifa on 7 Apr 2016
👍1

The way that I found was:
@SWG\Parameter(
in="header",
name="Authorization",
description="",
required=true,
type="string",
),

Then, I send bearer JWT-TOKEN in the input "Authorization" like: bearer eyJ0eXAiO...
Worked for me..

Arkanius picture Arkanius on 5 Oct 2016
🎉2 👍2

can somebody help ? how to achieve this from a android client ? From an android client i want to set the authorization headers.

In the Yaml file i had defined the security definition as follows

securityDefinitions:
UserSecurity:
type: apiKey
in: header
name: Authorization
security:

  • UserSecurity: []

then i had generated the code for android. In the android code can i use the following APIs or do i need to use some other APIs.
new SwaggerClient.ApiKeyAuthorization( "Authorization", "Bearer " + key, "header" );
window.swaggerUi.api.clientAuthorizations.add( "bearer", apiKeyAuth );

Please correct me if i going wrong anywhere in the above process.

kpradeepkumarreddy picture kpradeepkumarreddy on 18 Nov 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MartinMuzatko picture MartinMuzatko  路  4Comments
fehguy picture fehguy  路  3Comments
SangeetaGulia picture SangeetaGulia  路  4Comments
liuya05 picture liuya05  路  3Comments
sgyang picture sgyang  路  4Comments