I see this example in the docs:
const ui = SwaggerUIBundle({...})
// Method can be called in any place after calling constructor SwaggerUIBundle
ui.initOAuth({
clientId: "your-client-id",
clientSecret: "your-client-secret-if-required",
realm: "your-realm",
appName: "your-app-name",
scopeSeparator: " ",
additionalQueryStringParams: {test: "hello"}
})
clientSecret: "your-client-secret-if-required",
Client secret? In the JS? That is sent to the user's browser?
Can someone please explain to me how this could ever be secure?
As far as I understand it, the client secret is meant for server-to-server communication, where the client secret is safe from prying eyes on the server. But if you are doing auth from the browser (as Swagger is doing) you should, AFAIK, never have a client secret in there.
I think we should remove this line from the docs. The client secret should never be used in combination with web-based apps. It's for server-to-server communication.
Download
All 8 comments
Authorization code grant should be never used on JS side. I assume this feature is for development environment only, for testing OAuth server.
I think proper way is to use implicit flow for the UI
arturdzm
on 21 Oct 2017
It's a bit more than that. Swagger-UI is intended to render OpenAPI documents, and give a simple sandbox to test the APIs.
Since all OAuth2 flows can be described, Swagger-UI allows rendering and executing that as well. Does that mean it's recommended? No. Does that mean you shouldn't use it wisely? No. We give the option, it's up to the users to use it as they see fit.
webron
on 21 Oct 2017
@webron I think showing people how to shoot themselves in the foot isn't wise.
The client_secret should simply never be in an HTML page. Period. So why do we show it in an example?
Download
on 22 Oct 2017
So if a user, wants to test their own API, internally, using swagger-ui, emulating a 'server' side, because that's the kind of API they expose - we should not allow them to do it?
If you're just talking about removing it from the example - maybe. It still needs to be documented.
webron
on 23 Oct 2017
I think its good idea to mention in documentation that specifying secret in public/production UI is not recommended.
arturdzm
on 24 Oct 2017
@arturdzm Yes agreed!
@webron I guess that's a valid use case. But I fear people will put it 'in production' because they don't see any harm. So yes I think a big fat warning is warranted here.
Download
on 29 Oct 2017
@Download Sorry for taking so long, but thanks for the advice. I've added a warning to it in the documentation, keep the feedback coming.
webron
on 16 Jun 2018
Locking due to inactivity.
This is done to avoid resurrecting old issues and bumping long threads with new, possibly unrelated content.
If you think you're experiencing something similar to what you've found here: please open a new issue, follow the template, and reference this issue in your report.
Thanks!
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 2 Jul 2019
Related issues
songtianyi
路
3Comments
ilnurshax
路
3Comments
Deraen
路
4Comments
nulltoken
路
3Comments
SangeetaGulia
路
4Comments
Most helpful comment
@webron I think showing people how to shoot themselves in the foot isn't wise.
The client_secret should simply never be in an HTML page. Period. So why do we show it in an example?