Swagger-ui: swagger UI for Spring Boot API : How to add “audience” in request body for authorising “client credentials” flow
I have generated swagger UI documentation from my spring boot API, the API is secured using oauth2 client credentials grant from auth0.
The problem is that:
In the swagger configuration, I am unable to set the "audience" request body parameter while authorisation.
Thus, swagger ui is not authenticating the API.
I am following this documentation:
https://www.baeldung.com/swagger-2-documentation-for-spring-rest-api
pom.xml:
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
SwaggerConfig.Java:
@Configuration
@EnableSwagger2
public class SwaggerConfig {
String token_endpoint = "xxxx";
@Bean
public Docket api() {
return new Docket(DocumentationType.SWAGGER_2)
.select()
.apis(RequestHandlerSelectors.basePackage("xxxx.controller"))
.paths(PathSelectors.any())
.build()
.apiInfo(apiInfo())
.useDefaultResponseMessages(false)
.securitySchemes(Arrays.asList(securityScheme()))
.securityContexts(Arrays.asList(securityContext()));
}
private ApiInfo apiInfo() {
return new ApiInfo(
"xxxx API",
"Some description of API.",
"xxxx",
"Terms of service",
new Contact("xx", "xxxx", "xxxx"),
"License of API", "xxxx", Collections.emptyList());
}
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
@Bean
public SecurityConfiguration security() {
return SecurityConfigurationBuilder.builder()
.appName("xxxx")
.clientId("")
.clientSecret("")
.build();
}
private SecurityScheme securityScheme() {
GrantType grantType = new ClientCredentialsGrant(token_endpoint);
SecurityScheme oauth = new OAuthBuilder().name("spring_oauth")
.grantTypes(Arrays.asList(grantType))
.build();
return oauth;
}
private SecurityContext securityContext() {
return SecurityContext.builder()
.forPaths(PathSelectors.any())
.build();
}
}
The response is as 403 Forbidden and this is because, I am not able to provide "audience" in the request body during authorization:
"error_description": "Non-global clients are not allowed access to APIv1"
ShradhaFielddata
All 6 comments
Running into the same type of issue here. Auth0 has specific requirements when using the client_credentials grant type. I was able to add some of the missing data using the OAuthAdditionalQueryStringParams() options method, but as @ShradhaFielddata mentioned, Auth0 requires the audience property to be in the body.
The error I'm getting when trying to authenticate is: "Non-global clients are not allowed access to APIv1". When I check the log in Auth0, the "audience" property is null.
It would be handy if there was a similar OAuthAdditionalBodyParams() we could use to customize for situations like this.
Kizmar
on 12 Jun 2019
@Kizmar Did you found any workaround?
Would be nice if there will be an additional property like: OAuthAdditionalBodyParams
cluen
on 28 Aug 2019
Hi,
In order to make authenticated calls via swagger-ui, I still have to get the token from postman, and then use it in swagger's "authorize button".
And yea you are right; an addiiotnal property will fix the problem..
ShradhaFielddata
on 28 Aug 2019
@Kizmar Did you found any workaround?
Would be nice if there will be an additional property like:OAuthAdditionalBodyParams
I did also add a feature issue/request here regarding this subject. So far no workaround.
Kizmar
on 28 Aug 2019
@Kizmar Any updates or have you found a workaround for this issue?
cpandya231
on 26 Nov 2019
@cpandya231 Keep an eye on #5399
Kizmar
on 26 Nov 2019
Related issues
andrecarlucci
·
3Comments
zilongl
·
3Comments
ankon
·
4Comments
nulltoken
·
3Comments
sgyang
·
4Comments