OAuth2 Password Flow modes do not match RFC #3227
Comments
|
Feel free to CC me to any OAuth2 related issues in Swagger UI in future. I might not help you with code, but I will at least try to help you with what RFC suggests to do. |
|
This problem is based on the naming of list. It should be "clientAuthenticationType". I'm very very disappointed because my implementation in #2397 is completely spoiled. |
|
One additional note here- the Owner Credentials flow doesn't exclude public clients, in which case a client_id may be sent, but not have a corresponding client_secret. In that case, the method of attaching the client_id falls back to the last paragraph in section 3.2.1: |
|
Hi, any update on this? I have played a bit with springfox and now I see it is not possible to pass a jwt to swagger-ui. Is a release scheduled at some point? |
|
@kopax JWT's aren't part of the OAuth2 specification (RFC6749), except in the sense that the structure of the tokens is left to the implementation. Are you commenting on the correct issue? |
|
I have a *springboot backend secured with spring-security and spring-security-oauth2 and springfox installed. I am using the code grant flow specified in RFC6749. I have a reactjs app as a client and I want to install swagger-ui on it. I successfully managed to display the swagger-ui. The documentation says :
The OAuth2 configuration explained in the documentation does not trigger any request to authenticate. @krotscheck I am not sure if I am commenting the correct issue TBH, my issue I am in is more "Where is the swagger-ui OAuth documentation"... This is how my react page look like : import React from 'react';
import { SwaggerUIBundle, SwaggerUIStandalonePreset } from "swagger-ui-dist"
import 'swagger-ui-dist/swagger-ui.css';
import { oAuthClient } from "../../../config/index";
export default class SwaggerUIPage extends React.PureComponent {
state = {
ui: null,
}
componentDidMount() {
this.initializeUi();
}
initializeUi() {
const { redirectUri } = oAuthClient;
const ui = SwaggerUIBundle({
url: `http://localhost:8080/v2/api-docs`,
dom_id: '#swagger-ui',
oauth2RedirectUrl: 'http://localhost:8080/redirect/cb',
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIStandalonePreset
],
plugins: [
SwaggerUIBundle.plugins.DownloadUrl,
SwaggerUIBundle.plugins.AuthActions, // <-- Iam trying to add plugins in order to enable OAuth2 authentication
SwaggerUIBundle.plugins.AuthIndex,
SwaggerUIBundle.plugins.AuthReducers,
SwaggerUIBundle.plugins.AuthSelectors,
SwaggerUIBundle.plugins.AuthSpecWrapActions,
],
});
this.setState({ ui }, this.initializeOAuth);
}
initializeOAuth() {
const { clientId, clientSecret, accessTokenUri, redirectUri } = oAuthClient;
console.log(oAuthClient);
console.log(SwaggerUIBundle.plugins);
// Method can be called in any place after calling constructor SwaggerUIBundle
const oauth = this.state.ui.initOAuth({
clientId,
clientSecret,
realm: 'api',
tokenUrl: 'http://localhost:8080/oauth/token',
oauth2RedirectUrl: 'http://localhost:8080/redirect/cb',
appName: 'reactapp',
scopeSeparator: ' ',
additionalQueryStringParams: { test: 'please help me login' },
useBasicAuthenticationWithAccessCodeGrant: true,
...oAuthClient,
});
// console.log(window.opener.swaggerUIRedirectOauth2);
// oauth2.callback({auth: oauth2.auth, token: json, isValid: true}) // <-- I have found that in the distributed oauth2 page html in the dist package, I have tried to called `oauth2.callback` myself but I can't get `window.opener.swaggerUIRedirectOauth2`
}
render = () => <div id="swagger-ui"/>
}
|
|
@kopax Ah, yes. In that case, you're definitely not commenting on the right issue. Github issues are more for bug reports and software design work, rather than integration help. For that, I would recommend the documentation and support resources- IRC, the website, etc. Good luck! |
|
@krotscheck I really do understand and I've already been on IRC and the website before. The documentation didn't helped me. I have opened #3953. If you can give two minutes of your time to read the two questions, I'll appreciate. Good luck to you too! |
This pull request updates the "Password" flow to match the RFC, in accordance to swagger-api#3227, with the following changes: - Two methods have been explicitly removed (though names have been repurposed): Using login/pass in Basic Auth and including client_id and client_secret in the query string. - The "Basic" auth method now uses the client_id and client_secret in the Authorization header, via Basic auth, in accordance with RFC section 2.3.1: https://tools.ietf.org/html/rfc6749#section-2.3.1 - The "Request Body" auth method now adds the client_id and the client_secret to the form body, in accordance to section 3.2.1: https://tools.ietf.org/html/rfc6749#section-3.2.1 - The form no longer hides the client_id or client_secret. This is a breaking change, as the UI now responds differently to the values set in the configuration file.
|
Guys what the status of this? The This will very helpful for developers who use Spring Boot Security OAuth2.
Please fix this. |
|
I updated UI from 2.2.10 to 3.12.2 and the Password flow stopped working. It authorizes normally, I can see from inspector, but the subsequent API requests does not send the "Authorization: Bearer ..." at all. Is this related to this issue? It seemed to work fine with 2.x series. |
|
Any news on this issue?? It's really odd not not to be able to use the login as expected. |
+ # TODO: Because SWAGGER-UI password-flow doesn't follow the oauth2 RFC it needs location='form' for it to work. + # Rewrite is being discussed in swagger-api/swagger-ui#3227 + # https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
Currently (Swagger UI master branch), only one out of three implemented OAuth2 Password Flow modes match RFC 6749 section 2.3.1, which explicitly states:
There are 3 modes implemented in Swagger UI for OAuth2 Password flow:
usernamewithpasswordin request-body andclient_idwithclient_secretin "Authorization" header (Basic) - this is the CORRECT and RECOMMENDED way of doing this according to RFC.usernamewithpasswordin "Authorization" header (Basic) with noclient_id/client_secret- this has NOTHING TO DO with OAuth2 as far as I can tell, this is just someone's simplified authentication method. If there is no other place to implement this, well let it be there, but this might be a bit confusing.usernamewithpasswordin request-body andclient_idwithclient_secretin URI query encoded parameters - this is EXPLICITLY DISCOURAGED in the RFC since URLs are usually logged on the web servers and this would expose the plaintext secrets to anyone reading the logs.The names in Swagger UI are completely misleading, by the way.
Here is my proposal:
client_idandclient_secretvia request-body./cc @bodnia @Naid405 @benoj @webron
The text was updated successfully, but these errors were encountered: