Swagger-ui: Authentication with Web APIs protected by Azure Active Directory
AAD seems to use id_token as response type instead of token during the implicit OAuth2 flow. Is it something that can be set in swagger-ui? Looking at swagger-ui/dist/lib/swagger-oauth.js I would say no.
Request I need to send:
https://login.microsoftonline.com/microsoft.onmicrosoft.com/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Flocalhost%3A44313%2Fswagger%2Fui%2Fo2c-html&client_id=2766fe40-29ca-44c3-83ea-6a1aebba1950&nonce=6f10bbf5-28de-40cb-8206-5591cd37bec1
Sample response:
https://localhost:44313/swagger/ui/o2c-html#id_token=eyJ0eXAiOiJ...
AAD doc (OpenID Connect 1.0): https://msdn.microsoft.com/en-us/library/azure/dn645541.aspx
For reference, I am using swagger-ui as packaged in Swashbuckle.Core 5.3.1.
mmaitre314
All 9 comments
I need this support too.
It would be useful to have the tokenName back in the swagger spec, such that I could just set it to "id_token".
ahofman
on 14 Nov 2016
Did you figure out how to solve or workaround this issue? Using token seems to allow you to login but you don't get any of the users roles back from Azure AD.
RehanSaeed
on 14 Mar 2017
I managed to get this working using the following code. However, this is less than ideal and we should really have a built-in method of overriding the token name.
// Swagger UI does not support custom response_type parameters. Azure Active Directory requires an 'id_token' value to
// be passed instead of 'token' (See https://github.com/swagger-api/swagger-ui/issues/1974).
window.swaggerUiAuth = window.swaggerUiAuth || {};
window.swaggerUiAuth.tokenName = 'id_token';
if (!window.isOpenReplaced) {
window.open = function (open) {
return function (url) {
url = url.replace('response_type=token', 'response_type=id_token');
console.log(url);
return open.call(window, url);
};
}(window.open);
window.isOpenReplaced = true;
}
@webron Why was this closed ? AFAIK swagger UI still doesn not work with Open ID Connect ...
graemechristie
on 25 Aug 2017
OIDC support was introduced in OAS3. This ticket was closed before OAS3 was released.
webron
on 11 Sep 2017
@RehanSaeed thanks for your answer it helped me to find a way solving this problem.
The thing you forgot to mention is how to integrate that script into your Swagger UI page.
So for all of you encountering the same issue just use:
app.UseSwaggerUI(c =>
{
c.InjectJavascript("yourScript.js");
});
and insert the code of Rehan in this script file.
sreichi
on 19 Nov 2018
This is not fun. Why are options like the swaggerUiAuth.tokenName not exposed for us in the AspNetCore project? Im having an issue where I can set things like swaggerUiAuth.Scopes either.
VictorioBerra
on 1 Feb 2019
@VictorioBerra, Swashbuckle isn't maintained by us, you'd have to take that up with them 馃檪
shockey
on 19 Mar 2019
@sreichi @RehanSaeed I followed your instructions. I added the JS file. I now see that the authorization response_typ is set correctly to "id_token". However, even though the authorization succeeds, swagget-ui is not making use of the returned id_token. Instead it's using "Bearer undefined" for the authorization header. I think it's because swagger_ui expects to see "access_token" attached by the authorization provider. After using the JS file, there is "id_token" instead. How did you handle that? How to instruct swagger-ui to read that "id_token"?
Loreno10
on 5 Jun 2020
Related issues
hnthu
路
3Comments
Deraen
路
4Comments
andrecarlucci
路
3Comments
deepumi
路
3Comments
nulltoken
路
3Comments
Most helpful comment
I managed to get this working using the following code. However, this is less than ideal and we should really have a built-in method of overriding the token name.