Swashbuckle.aspnetcore: Is clientCredentials flow supported?

Created on 1 Mar 2018 · 13Comments · Source: domaindrivendev/Swashbuckle.AspNetCore

I'm trying to get clientCredentials flow working using one of the sample websites in this repo.

I've tried to modify Swashbuckle.AspNetCore/test/WebSites/OAuth2Integration/Startup.cs to use the clientCredentials flow type.

Given that OAuthClientId and OAuthClientSecret have been set in the Configure method, I hoped that I could alter the ConfigureServices to use the clientCredentials flow type and that would allow the Swagger UI to _automagically_ retrieve the authentication token.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    // ...
    app.Map("/resource-server", resourceServer =>
    {
        // ... 
        resourceServer.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint("/resource-server/swagger/v1/swagger.json", "My API V1");

            // Additional OAuth settings (See https://github.com/swagger-api/swagger-ui/blob/v3.10.0/docs/usage/oauth2.md)
            c.OAuthClientId("test-id");
            c.OAuthClientSecret("test-secret");
            c.OAuthRealm("test-realm");
            c.OAuthAppName("test-app");
            c.OAuthScopeSeparator(" ");
            c.OAuthAdditionalQueryStringParams(new { foo = "bar" });
            c.OAuthUseBasicAuthenticationWithAccessCodeGrant();
        });
    });
}

I've tried changing part of the ConfigureServices method to this:

c.AddSecurityDefinition("Bearer", new ApiKeyScheme
{
    Description = "JWT Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
    Name = "Authorization",
    In = "header",
    Type = "apiKey"
});

However, this just gives me a prompt for the bearer token, like so:

Looking at the Open API Specification - Security Scheme Object Example it has the following JWT Bearer Sample:

{
  "type": "http",
  "scheme": "bearer",
  "bearerFormat": "JWT",
}

I couldn't see any similar options in Swashbuckle to configure the security definition.

It would be great if you could confirm whether what I am asking for is supported and if it is, provide an example.

Source

markpritchett

Most helpful comment

Use the following to enable the oauth2 client credentials (aka application) flow:

c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
    Type = "oauth2",
    Flow = "application",
    TokenUrl = "/auth-server/connect/token",
    Scopes = new Dictionary<string, string>
    {
        { "readAccess", "Access read operations" },
        { "writeAccess", "Access write operations" }
    }
});

c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
    { "oauth2", new[] { "readAccess", "writeAccess" } }
});

domaindrivendev on 2 Mar 2018

👍6

All 13 comments

The same issue. It worked in 1.2.0

VladislavAntonyuk on 2 Mar 2018

Use the following to enable the oauth2 client credentials (aka application) flow:

c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
    Type = "oauth2",
    Flow = "application",
    TokenUrl = "/auth-server/connect/token",
    Scopes = new Dictionary<string, string>
    {
        { "readAccess", "Access read operations" },
        { "writeAccess", "Access write operations" }
    }
});

c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
    { "oauth2", new[] { "readAccess", "writeAccess" } }
});

domaindrivendev on 2 Mar 2018

👍6

@domaindrivendev This don't work for me, after put client id and key on popup. It says below :
auth errorTypeError: NetworkError when attempting to fetch resource.
And did not do anything else. on network tab of firefox dev tools says OPTIONS request with response 200 but nothing else. How can we fix this?

arlan85 on 10 Oct 2018

👍5

@domaindrivendev Same here

deinok on 25 Feb 2019

same here. Any documentation for client_credentials flow?

coder8keyboard on 9 Aug 2019

👍3

Same here...

alexmartinezm on 26 Sep 2019

Guys his example works. Turns out it is Flow = "application" though I second the ask for documentation. Someone can always make a PR.

VictorioBerra on 26 Sep 2019

@VictorioBerra Anyone have an updated example of this using OpenApiSecurityScheme?

cmreynol on 12 May 2020

👍4

@cmreynol

@VictorioBerra Anyone have an updated example of this using OpenApiSecurityScheme?

I'm experimenting with this at the moment, will let you know how it goes:

options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
    Type = SecuritySchemeType.OAuth2,
    Flows = new OpenApiOAuthFlows
    {
         ClientCredentials = new OpenApiOAuthFlow
         {
              TokenUrl = new Uri("/auth/token", UriKind.Relative)
         }
    }
});

ghost1face on 19 Jun 2020

@ghost1face any updates?

SimonKoegler on 14 Sep 2020

@ghost1face any updates?

That actually worked pretty well 👍

ghost1face on 14 Sep 2020

Use the following to enable the oauth2 client credentials (aka application) flow:

c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
    Type = "oauth2",
    Flow = "application",
    TokenUrl = "/auth-server/connect/token",
    Scopes = new Dictionary<string, string>
    {
        { "readAccess", "Access read operations" },
        { "writeAccess", "Access write operations" }
    }
});

c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
    { "oauth2", new[] { "readAccess", "writeAccess" } }
});

Is this for ASP.NET Core or the full .net framework?

I'm getting that