Swagger-ui: How to specify Oauth2 headers that Swagger should use

Created on 21 Mar 2016 · 17Comments · Source: swagger-api/swagger-ui

Hi, apologies in advance if this has been a known issue and I am re-reporting this. I spent a good part of today trying to find a solution to my current problem and was unable to. I searched swagger-ui issue reports as well but couldn't really find what I was looking for, so decide to ask here. Again, if this is not the correct forum, please kindly redirect me to the correct one.

I am using Swagger v2.0
I am developing an app that uses token based oauth, using devise_token_oauth gem. I specified my swagger security definition as below

"securityDefinitions": {
  "devise_auth": {
  "type": "oauth2",
    "authorizationUrl": "/api/doc/auth",
    "flow": "implicit",
    "tokenName": "access-token",
    "scopes": {
        "god": "God can do everything",
        "lecturer": "Lecturer can create courses"
    }
  }
}

And I also defined swagger path to use the security definition as below

"paths":{
    "/api/schools":
    {
        "post":{"description":"Creates a school. Only users with God permission can operate.",
                "tags":["school"],
                "security":[{"api_key":[]},
                    {"devise_auth":["god"]}],
                    "parameters":[...]
                }
    }
}

I defined api/doc/auth endpoint so that it returns all header information in query param. For example, it returns the below url

 http://localhost:3000/swagger-ui/dist/o2c.html?access-token=1FzOVl6NmBqEtycXnRIeUg&token-type=Bearer&client=EpUPSWWVbWPO2OkQG4Imng&expiry=1459736879&[email protected]

It has access-token, token-type, client, expiry, uid, all of which the Swagger needs to send to my API server to authenticate.

When I go to Swagger doc, I correctly see a toggle that asks me if I want to enable Oauth.
screen shot 2016-03-20 at 7 40 21 pm

When I click it, the toggle correctly turn to "On".
screen shot 2016-03-20 at 7 40 38 pm

However, when I send a request, I do not see auth header values ...
missing_auth

What am I doing wrong?
How can I tell Swagger doc that it needs to use auth params it got back from the AuthorizationUrl endpoint? Or is this type of question more appropriate for swagger-ui repo? I will keep this question until told otherwise.

Thanks in advance!

Source

TurtleShip

👍8

Most helpful comment

Hi,
Not 100% sure if my issue is the same, but I'm having a very similar issue with Basic authentication. I'm using the latest master version.

The Authorize button shows the Basic authentication form correctly. However, the Authorization header is never sent through with the "Try it out" operation. It's not visible in the curl command either.

Please let me know if you need any further details.

gabriel-detassigny on 4 Apr 2016

👍2

All 17 comments

I have the same issue 👍🏼

migfabio on 1 Apr 2016

Seems like this is not the correct forum to discuss this since no one is responding to this...

If anyone is reading this, can anyone please tell me how to make this more visible?

TurtleShip on 1 Apr 2016

You'd be surprised, we read everything. We just don't always have the capacity to answer everyone in a timely manner.

First question - do you see the problem only with the curl command or with the actual call from the Try it out operation (those are not the same)?

webron on 1 Apr 2016

ah-ha, okay.

I see the problem in both. I think the issue is that I am failing to register to Swagger what auth headers it should be using when Swagger sends authenticated requests.

Neither curl command or 'Try it out' operation sends any auth headers that I attempted to register with Swagger.

TurtleShip on 2 Apr 2016

@TurtleShip are you using the latest master version? Do you see the Authorize button at the top of the page?

webron on 4 Apr 2016

Hi,
Not 100% sure if my issue is the same, but I'm having a very similar issue with Basic authentication. I'm using the latest master version.

Please let me know if you need any further details.

gabriel-detassigny on 4 Apr 2016

👍2

@gabriel-detassigny Can you share your spec?

webron on 4 Apr 2016

That's the path :

"/account": {
            "get": {
                "tags": [
                    "account"
                ],
                "summary": "Get the current user account information",
                "responses": {
                    "200": {
                        "description": "User info"
                    }
                },
                "security": [
                    {
                        "login": []
                    }
                ]
            }
        },

That's the security definition :

"securityDefinitions": {
        "login": {
            "type": "basic"
        }
    }

Thanks for your help!

gabriel-detassigny on 4 Apr 2016

@gabriel-detassigny - it would really help if you can share a simple spec that reproduces it so I can easily test it locally and try to reproduce it.

webron on 4 Apr 2016

👍1

Here's the full json spec file (I had to change the domain name and some description / naming, because it's work related.)

{
    "swagger": "2.0",
    "info": {
        "title": "API",
        "description": "Internal API",
        "version": "1.0"
    },
    "host": "localhost",
    "basePath": "/",
    "schemes": [
        "http"
    ],
    "produces": [
        "application/json; versions=1"
    ],
    "paths": {
        "/account": {
            "get": {
                "tags": [
                    "account"
                ],
                "summary": "Get the current user account information",
                "responses": {
                    "200": {
                        "description": "User info"
                    }
                },
                "security": [
                    {
                        "login": []
                    }
                ]
            }
        }
    },
    "definitions": {},
    "securityDefinitions": {
        "login": {
            "type": "basic",
            "description": "Basic authentication"
        }
    }
}

By the way, I tried using API key authentication and that worked fine : it was sent through as a header like I needed. It seems to be only a problem with Basic authentication (and OAuth2 according to the others in this issue). Not sure if that info can help you.

Thanks again!

gabriel-detassigny on 5 Apr 2016

@gabriel-detassigny thanks for sharing that - tested it and it indeed doesn't work. Can you open a separate ticket on this (with the attached spec)? I'm not sure it's the same issue as the original issue here and waiting for further details on that.

webron on 5 Apr 2016

I have the same problem. Any solution?

aabadia on 14 Sep 2016

👍1

bestdeveloperever on 6 Jan 2017

I think you need to remove "api_key":[]" from you api security specification

AshwiniSurve on 23 Jan 2017

This should no longer be an issue with the new UI. However, if you test it and still experience a problem, please file a new ticket.

webron on 10 Jun 2017

Hallo I am a Beginner with Swagger and i want to define a REST API with Token Header. I do now how to define that and how Swagger recognize the URL for the ressource , could you please help me to define that and thank you very much

Belhadjhala on 8 Aug 2017

I can also repdouce this issue. At least it could no an issue but then there is no any documentation for this purpose. Did someone achieve OAuth2 scenarion with swagger UI ? I get redircted with proper token and everying, yet I click on "try it" request do not send any token....