Swagger-ui: OAuth2 password flow sends token request incorrectly

Created on 12 Apr 2017  路  6Comments  路  Source: swagger-api/swagger-ui

Seems that at least when using Resource owner password credentials flow for authentication, token request is sent incorrectly. Currently code on master sends is like this (/src/core/plugins/auth/actions.js)

let req = {
    url: schema.get("tokenUrl"),
    method: "post",
    headers: {
      "content-type": "application/x-www-form-urlencoded"
    },
    query: {
      grant_type: "password",
      username,
      password,
      scopes: encodeURIComponent(auth.scopes.join(scopeSeparator))
    }
  }

This means that all parameters are sent as query parameters not as part of body as spec defines (https://tools.ietf.org/html/rfc6749#section-4.3.2).

it could use instead body: new FormData(...) of query: {...}

P1 lock-bot 3.x
Source
picture jniemin

Most helpful comment

I am also facing this problem. There is a configuration for sending client credentials; whether to send it as Basic header or in body. But there is no configuration available for sending payload data.
Nevertheless, according to the spec, payload should be sent as URL encoded POST payload. So I think, this needs to be fixed.

picture lakmali on 19 Apr 2017
👍2

All 6 comments

I think there should be a configuration for that, not sure if it's implemented yet.

webron picture webron on 12 Apr 2017

I'm experiencing the same issue using the OAuth application flow. Requests are sent as GET requests and should be sent as POST to allow for encoding data in the POST body.

kevinsookocheff-wf picture kevinsookocheff-wf on 12 Apr 2017

I am also facing this problem. There is a configuration for sending client credentials; whether to send it as Basic header or in body. But there is no configuration available for sending payload data.
Nevertheless, according to the spec, payload should be sent as URL encoded POST payload. So I think, this needs to be fixed.

lakmali picture lakmali on 19 Apr 2017
👍2

@lakmali @kevinsookocheff-wf @jniemin could you please test latest master. If still experiencing the issue please re-open.

bodnia picture bodnia on 26 Apr 2017

Yep, the master is working correctly when using type: request body. My server doesn't support basic or as query params, so I can't test those. Thanks @bodnia

jniemin picture jniemin on 27 Apr 2017

@jniemin thanks for your cooperation

bodnia picture bodnia on 27 Apr 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

easyest picture easyest  路  3Comments
liuya05 picture liuya05  路  3Comments
deepumi picture deepumi  路  3Comments
Deraen picture Deraen  路  4Comments
insideshell picture insideshell  路  3Comments