OAuth2 Resource Owner Password Credentials

[ghost]

Hey! I'm trying to use swagger with api, secured by IdentityServer4 with resource owner password credentials flow. When I try to login - I've got an 400 HTTP error. I look inside HTTP request and see, that swagger did not send clinet_id with acess token request, but it was configured in application middlewares pipeline, inside swaggerUI configureation options. Where am I wrong?

[xperiandri]

Do you use RC3?

[ghost]

@xperiandri Yes

[xperiandri]

Indeed, client_id is missing

[xperiandri]

When I pass client_id in configuration it is not used but if I switch Setup client authentication to Request body and enter client_id it is passed along with client_secret which is empty and I get an error about that.

[xperiandri]

@domaindrivendev, is client_id being taken from configuration in implicit flow? Contrary to what happens with password flow implementation in Swagger UI.

[domaindrivendev]

I think it would be better to submit this question to the swagger-ui folks. Swashbuckle just embeds that tool but doesn't actually do any of the development. It looks like there's already some related discussion in a recent PR to that repo that might shed some light on the subject ...

swagger-api/swagger-ui#2397

[xperiandri]

I just did't try implicit flow, so ask if it works the described way

[xperiandri]

Now it works well with password flow

[ghost]

I can't check this, but I trust you)
So, I close the issue.

[theCuriousOne]

@xperiandri How did you manage to get it to work for password flow?

[xperiandri]

options.AddSecurityDefinition("OpenId Connect", new OAuth2Scheme {
    Type = "oauth2",
    Flow = "password",
    TokenUrl = tokenUrl.AbsoluteUri,
    Scopes = new Dictionary<string, string>
    {
        { Auth.Scopes.Scope1, "Scope 1" }
    }
});

.UseSwaggerUI(
    options => {
        var provider = app.ApplicationServices.GetService<IApiVersionDescriptionProvider>();
        foreach (var apiVersionDescription in provider
            .ApiVersionDescriptions
            .OrderByDescending(x => x.ApiVersion)) {
            options.SwaggerEndpoint(
                $"/swagger/{apiVersionDescription.GroupName}/swagger.json",
                $"Version {apiVersionDescription.ApiVersion}");
        }
        options.ConfigureOAuth2("swagger", null, null, "Swagger UI");
    });

Then either log in using Authorize button at the top

or add options.OperationFilter<SecurityRequirementsOperationFilter>(); that adds Scope1 to every secured API definition

[theCuriousOne]

@xperiandri Thank you for your help. For future reference for someone else:

`var provider = app.ApplicationServices.GetService<IApiVersionDescriptionProvider>();`

Is only needed for versioning (declare the api version). What I did wrong is that I didn't follow the OAuth2 Specs, i.e. I haven return a valid json with { "access_token": "34h3nf8nnf9a...", "grant_type": "Bearer"} -> this is important!