Swagger-ui: Auth Error, Error: Bad Request

Created on 27 Sep 2018  路  15Comments  路  Source: swagger-api/swagger-ui

Q&A (please complete the following information)

  • OS: macOs
  • Browser: chrome
  • Version: 69
  • Method of installation: npm
  • Swagger-UI version: ? swagger-ui-express 3.0.1 comes with a static directory with swagger ui.
  • Swagger/OpenAPI version: 2

Content & configuration

Example Swagger/OpenAPI definition:

securityDefinitions:
  oauth:
    type: oauth2
    tokenUrl: /oauth/token
    flow: application
security:
  - oauth: []

Swagger-UI configuration options:

// Configure Swagger Docs
let swaggerDocument = yaml.safeLoad(fs.readFileSync('./api/swagger/swagger.yaml', 'utf8'));
app.use('/docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));

Describe the bug you're encountering

I am no longer able to authentication through live docs. Debugging the POST request to /oauth/token via chrome devtools shows that the client_id and client_secret are not being send. grant_type is and is the correct value "client_credentials".

To reproduce...

Steps to reproduce the behavior:

  1. Go to /docs (my configured router for swagger ui via express)
  2. Click on 'Authenticate'
  3. Enter 'client_id'
  4. Enter 'client_secret'
  5. Click modal 'Authenticate' button, which submits the form
  6. See error

Expected behavior

Should authenticate

Screenshots

screen shot 2018-09-21 at 11 50 36 am

screen shot 2018-09-27 at 10 01 49 am

Additional context or thoughts

I know that the yaml config for OAuth2 is being consumed because its giving me the OAuth2 authentication form. The break down is in sending the entered credentials.

auth lock-bot support
Source
picture bozzltron

All 15 comments

Hi @bozzltron!

I am no longer able to authentication through live docs

Any idea what changed?

  • Did you upgrade swagger-ui-express?
  • Did your server implementation change? Stay the same?
shockey picture shockey on 11 Oct 2018

I have the same error with json format.

netheodw picture netheodw on 11 Oct 2018

My underlying API has not changed. It looks like I was running on a forked version of swagger-express-ui when I updated swagger ui to 3.4.2 to get things working. Since then we tried to moved back to swagger-express-ui proper and that's when we encountered this new issue.

Here is my original commit off of the fork.
https://github.com/bozzltron/swagger-ui-express/commit/d57269ff73fdfef2e4c70595ab49b9351ec08939

What version of swagger-ui is swagger-ui-express running now?

bozzltron picture bozzltron on 11 Oct 2018

screen shot 2018-10-11 at 11 25 20 am

If I updated to swagger-express-ui 4.0.1, which looks like it included swagger-ui 3.19.1, I have a similar error, with a similar root cause. Ultimately, the client_id and client_secret values are not sent alongside the grant_type.

bozzltron picture bozzltron on 11 Oct 2018

i have run the swagger-ui 3.19.3 which is the latest.

netheodw picture netheodw on 11 Oct 2018

Bug confirmed - prioritizing this.

shockey picture shockey on 16 Oct 2018

@bozzltron, upon further investigation, my impression is that we're doing this correctly.

OAuth2 says (emphasis mine):

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server [...] The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

https://tools.ietf.org/html/rfc6749#section-2.3.1

Since Swagger UI _is_ able to use HTTP basic to transmit the client credentials, we do that instead of including it in the request body.

Let me know if you think I've misinterpreted the spec - happy to take another look.

shockey picture shockey on 18 Oct 2018
👍1

cc: #3227, @frol

shockey picture shockey on 18 Oct 2018

I believe, @shockey is right at his interpretation of the spec, so it seems that Swagger UI does the right thing (i.e. uses HTTP Basic authentication headers to provide client_id and client_secret) for this authentication flow.

frol picture frol on 19 Oct 2018

Thanks for the clarification here. For future readers the basic authorization header is constructed by base 64 encoded a string that contains client_id and client_secret and is delimited by ":".

bozzltron picture bozzltron on 22 Oct 2018
👍1

Hey @shockey , sorry to comment on a closed thread but would it be possible to allow the HTTP Basic authentication method _or_ the body method? I'm stuck in the middle now where my authentication provider only allows the body method, so integrating that and swagger-ui seems impossible.

I appreciate swagger-ui follows the spec correctly, but supporting both way would be helpful for people stuck in my position.

pacey picture pacey on 5 Dec 2018

@pacey, can you email me about this? I have a branch here, I'd like for you to take a look and tell me if it addresses your use case. [email protected].

shockey picture shockey on 5 Dec 2018
👍1

I want to use oauth 2 in node js code for our APIs.
Has anybody used it? Please share.

ksac1 picture ksac1 on 25 Feb 2019

How can I get client key and client secret if the "appliction" oauth2 is getting used for swagger?

ksac1 picture ksac1 on 25 Feb 2019

@ksac1 please open a new issue if you need help!

shockey picture shockey on 26 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

songtianyi picture songtianyi  路  3Comments
LaysDragon picture LaysDragon  路  3Comments
nulltoken picture nulltoken  路  3Comments
liuya05 picture liuya05  路  3Comments
andrecarlucci picture andrecarlucci  路  3Comments