Swagger-ui: Request header not sent (custom "Authorization" header) for Try It requests

Created on 4 Oct 2019 · 5Comments · Source: swagger-api/swagger-ui

Q&A (please complete the following information)

OS: Windows 10
Browser: Firefox (also Chrome)
Version: 69.0.2
Method of installation: npm (via Swashbuckle)
Swagger-UI version: 3.23.8
Swagger/OpenAPI version: OpenAPI 3.0.1

Content & configuration

Example Swagger/OpenAPI definition:
Full JSON @ https://gist.github.com/kierenj/a2f30015ddfb756f86c2b5e93c3401a8
Single example endpoint @ https://gist.github.com/kierenj/73e001386efe7d39a5d87fc1dbfa109a

Swagger-UI configuration options:

SwaggerUI({
  // I'm using Swashbuckle (the .NET wrapper), so I don't have equivalent JSON, sorry.
  // however, I only use the default options with it:
  /*
            swaggerUiOptions.RoutePrefix = "swagger";
            swaggerUiOptions.SwaggerEndpoint("/api/swagger.json", "API");
  */
})

Describe the bug you're encountering

For a long time, I've been able to specify a value for this header with this method. However now, I enter a value, click Execute, and the header is not sent. The example curl request shown does not include the header, either. It's not shown in the Network tab either.

To reproduce...

Open Swagger UI with the JSON definition I shared
Open /system/info
Click Try it out
Enter a value (e.g. Bearer X) in the header box
Click Execute

Expected behavior

Authorization header is included in request.

Additional context or thoughts

I realise there are other ways of doing authorization with Swagger UI. They don't quite meet my needs and so I'd hope to be able to continue using this method. Since this has been persistently working for a very long time (several years) I presume this is a bug.

support

Source

kierenj

Most helpful comment

Your API definition is missing the securitySchemes and security keywords that are used to define authentication.

The Authorization header parameter defined in /auth/credentials and /system/info won't be used because OpenAPI Specification says that tools should ignore explicit header parameters named Authorization. The Authorization header should be defined as a security scheme instead.

You need to change your Swashbuckle configuration so that it includes proper securitySchemes and security definitions in the generated JSON file. Please check Swashbuckle documentation or open a ticket with them for support.

hkosova on 4 Oct 2019

👍3

All 5 comments

Your API definition is missing the securitySchemes and security keywords that are used to define authentication.

hkosova on 4 Oct 2019

👍3

If I rename the header, would you expect it to work? I dont want to use the built in security scheme functionality, is that not an option? Thanks for your time

kierenj on 4 Oct 2019

Is there a specific reason you don't want to use standard features of the OpenAPI Specification?

hkosova on 4 Oct 2019

Yes - in the past (pre-OpenAPI), none of the security options suited my specific needs. However, I want to use OpenAPI as correctly as possible, so I'll try again. I can see over @ the Swashbuckle repo a couple of others are encountering the same thing. I certainly understand the driver behind this - I'll check into the security-schemes options: I'm guessing (hoping) it's now much more configurable than it used to be.

kierenj on 9 Oct 2019

@kierenj I'm closing the ticket for now, because as it is, this is not something we're going to support (when the spec specifically disallows it). If you encounter further issues, feel free to add a comment or open a new ticket.