Swashbuckle.aspnetcore: Possible bug 5.0.0-beta: Authorization header not set (basic auth)

Created on 28 Jan 2019  路  9Comments  路  Source: domaindrivendev/Swashbuckle.AspNetCore

The authorization header is not set (via swagger-ui) when using Basic Authentication.

I was working on a sample to get this up and running. I added security def & req as such: 

setupAction.AddSecurityDefinition("basicAuth", new OpenApiSecurityScheme()
{
    Type = SecuritySchemeType.Http,
    Scheme = "Basic", 
    Description = "Input your username and password to access this API"
});

setupAction.AddSecurityRequirement(new OpenApiSecurityRequirement
{
    {
        new OpenApiSecurityScheme
        {
            Reference = new OpenApiReference {
                Type = ReferenceType.SecurityScheme,
                Id = "basicAuth" }
        }, new List<string>() }
});

which results in the following spec (correct as far as I can see):

securitySchemes": {
"basicAuth": {
"type": "http",
"description": "Input your username and password to access this API",
"scheme": "Basic"
}}},
"security": [
{
"basicAuth": []
}

This results in an "authentication" part in the UI which allows me to input UN/PW, and I see a nice lock next to all operations. So far, so good. However, when I try sending a request via the UI it seems the Authorization header isn't set / passed through. I looked for issues related to this and found #603. I checked that issue, but the problem persists. Maybe a regression issue related to this issue (https://github.com/swagger-api/swagger-ui/issues/5039) at swagger-ui?

KR,
Kevin.

picture KevinDockx

Most helpful comment

@jmounts234 Yes. See the linked issue on this thread. Heres a direct link to my comment 馃憠 https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/1425#issuecomment-572088137

picture VictorioBerra on 30 Jan 2020
🚀1 👍1

All 9 comments

I am pretty new to this but on setupAction.AddSecurityDefinition I do believe that In = ParameterLocation.Header, is required.

setupAction.AddSecurityDefinition("basicAuth", new OpenApiSecurityScheme()
{
    Type = SecuritySchemeType.Http,
    Scheme = "Basic", 
    Description = "Input your username and password to access this API",
    In = ParameterLocation.Header,
});

setupAction.AddSecurityRequirement(new OpenApiSecurityRequirement
{
    {
        new OpenApiSecurityScheme
        {
            Reference = new OpenApiReference {
                Type = ReferenceType.SecurityScheme,
                Id = "basicAuth" }
        }, new List<string>() }
});
mlaukala picture mlaukala on 28 Jan 2019
1 👍1

That sounds like it should work, but I just gave it a try and it doesn't solve the issue :(

I tried with your sample code, and also tried by explicitly setting the header to use next to the In property: 

setupAction.AddSecurityDefinition("basicAuth", new OpenApiSecurityScheme()
{
    Type = SecuritySchemeType.Http,
    Scheme = "Basic", 
    Description = "Input your username and password to access this API",
    Name = "Authorization",
    In = ParameterLocation.Header
});
KevinDockx picture KevinDockx on 29 Jan 2019

You need change Scheme to lowercase "basic", it seems case sensitive.

See example in specification, and fields description above it.

kelvinsix picture kelvinsix on 29 Jan 2019

@kelvinsix: that did it! Thanks :) Closing this one.

KevinDockx picture KevinDockx on 29 Jan 2019

I just tried the following example with lowercase "basic" on 5.0.0-rc5 with no luck

setupAction.AddSecurityDefinition("basicAuth", new OpenApiSecurityScheme()
{
    Type = SecuritySchemeType.Http,
    Scheme = "basic", 
    Description = "Input your username and password to access this API",
    In = ParameterLocation.Header,
});

setupAction.AddSecurityRequirement(new OpenApiSecurityRequirement
{
    {
        new OpenApiSecurityScheme
        {
            Reference = new OpenApiReference {
                Type = ReferenceType.SecurityScheme,
                Id = "basicAuth" }
        }, new List<string>() }
});

When I make requests using the UI, auth header is NOT added, the CURL example shows no header information either.

VictorioBerra picture VictorioBerra on 18 Dec 2019
👍2

@VictorioBerra did you ever resolve your issue? I am having the same problem.

jmounts234 picture jmounts234 on 30 Jan 2020

@jmounts234 Yes. See the linked issue on this thread. Heres a direct link to my comment 馃憠 https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/1425#issuecomment-572088137

VictorioBerra picture VictorioBerra on 30 Jan 2020
🚀1 👍1

As @VictorioBerra stated in his comment, the key is to name the scheme "oauth2".

c# options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme { Type = SecuritySchemeType.Http, Scheme = "basic" });

PendelinP picture PendelinP on 13 Feb 2020

In my case I hate to remove options.OperationFilter(). It overrides other auth schemes

VictorioBerra picture VictorioBerra on 13 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JoelAdamWeiss picture JoelAdamWeiss  路  4Comments
tibitoth picture tibitoth  路  3Comments
jluqueba picture jluqueba  路  4Comments
govin picture govin  路  3Comments
michael-x picture michael-x  路  3Comments