"password" and "application" flows are broken

[Naid405]

When reporting an issue, please provide the following details:

• swagger-ui version - 3.0.11
• a swagger file reproducing the issue:

securityDefinitions: {
        OAuth2: {
            type: "oauth2",
            scopes: {
                "api": "API access"
            },
            flow: "application",
            tokenUrl: "/api/v3/oauth/token"
        }
    },
security: [{"OAuth2": []}]

According to spec at https://tools.ietf.org/html/rfc6749:
For "password" flow "username" and "password" should be passed in the body using the "application/x-www-form-urlencoded" and "client_id" and "client_password" should be passed via basic auth.
For "application" flow "client_id" and "client_password" should just be passed via basic auth.

Currently none of the options available for "password" flow provide the ability to authorize the way specification suggests since they don't actually send client credentials the way specification suggests.

Also maybe specification way should be the default one.

[Naid405]

Any progress on this?

[bodnia]

@Naid405 I will provide you with more info asap

[bodnia]

@Naid405 'application' flow is fixed, 'password' flow type 'body-parameter' changed. Fixes are in master

[Naid405]

Thank you, @bodnia.
Shouldn't 'body-parameter' be the default auth type? Since this is the 'type' specification suggests.

[bodnia]

I think I can make it a default one. I'll notify you here once it's merged

[bodnia]

@Naid405 merged to master

[Naid405]

Thanks again!

[Naid405]

Hi, @bodnia. There's another bug with this now - if you just open the "Authorize" window, type username and password and hit the button it doesn't send the client credentials. Only after I select other type and select "Request Body" back it start sending client credentials.

[webron]

@Naid405 can you please file a separate issue for that?

[Naid405]

@webron done: #3191

[frol]

Here is my thorough summary of the state of OAuth2 Password Flow implementation in Swagger-UI: #3227.