Auth Error, Error: Bad Request

[bozzltron]

Q&A (please complete the following information)

• OS: macOs
• Browser: chrome
• Version: 69
• Method of installation: npm
• Swagger-UI version: ? swagger-ui-express 3.0.1 comes with a static directory with swagger ui.
• Swagger/OpenAPI version: 2

Content & configuration

Example Swagger/OpenAPI definition:

securityDefinitions:
  oauth:
    type: oauth2
    tokenUrl: /oauth/token
    flow: application
security:
  - oauth: []

Swagger-UI configuration options:

// Configure Swagger Docs
let swaggerDocument = yaml.safeLoad(fs.readFileSync('./api/swagger/swagger.yaml', 'utf8'));
app.use('/docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));

Describe the bug you're encountering

I am no longer able to authentication through live docs. Debugging the POST request to /oauth/token via chrome devtools shows that the client_id and client_secret are not being send. grant_type is and is the correct value "client_credentials".

To reproduce...

Steps to reproduce the behavior:

1. Go to /docs (my configured router for swagger ui via express)
2. Click on 'Authenticate'
3. Enter 'client_id'
4. Enter 'client_secret'
5. Click modal 'Authenticate' button, which submits the form
6. See error

Expected behavior

Should authenticate

Screenshots

Additional context or thoughts

I know that the yaml config for OAuth2 is being consumed because its giving me the OAuth2 authentication form. The break down is in sending the entered credentials.

[shockey]

Hi @bozzltron!

I am no longer able to authentication through live docs

Any idea what changed?

• Did you upgrade swagger-ui-express?
• Did your server implementation change? Stay the same?

[netheodw]

I have the same error with json format.

[bozzltron]

My underlying API has not changed. It looks like I was running on a forked version of swagger-express-ui when I updated swagger ui to 3.4.2 to get things working. Since then we tried to moved back to swagger-express-ui proper and that's when we encountered this new issue.

Here is my original commit off of the fork.
bozzltron/swagger-ui-express@d57269f

What version of swagger-ui is swagger-ui-express running now?

[bozzltron]

If I updated to swagger-express-ui 4.0.1, which looks like it included swagger-ui 3.19.1, I have a similar error, with a similar root cause. Ultimately, the client_id and client_secret values are not sent alongside the grant_type.

[netheodw]

i have run the swagger-ui 3.19.3 which is the latest.

[shockey]

Bug confirmed - prioritizing this.

[shockey]

@bozzltron, upon further investigation, my impression is that we're doing this correctly.

OAuth2 says (emphasis mine):

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server [...] The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

https://tools.ietf.org/html/rfc6749#section-2.3.1

Since Swagger UI is able to use HTTP basic to transmit the client credentials, we do that instead of including it in the request body.

Let me know if you think I've misinterpreted the spec - happy to take another look.

[shockey]

cc: #3227, @frol

[frol]

I believe, @shockey is right at his interpretation of the spec, so it seems that Swagger UI does the right thing (i.e. uses HTTP Basic authentication headers to provide client_id and client_secret) for this authentication flow.

[bozzltron]

Thanks for the clarification here. For future readers the basic authorization header is constructed by base 64 encoded a string that contains client_id and client_secret and is delimited by ":".

[pacey]

Hey @shockey , sorry to comment on a closed thread but would it be possible to allow the HTTP Basic authentication method or the body method? I'm stuck in the middle now where my authentication provider only allows the body method, so integrating that and swagger-ui seems impossible.

I appreciate swagger-ui follows the spec correctly, but supporting both way would be helpful for people stuck in my position.

[shockey]

@pacey, can you email me about this? I have a branch here, I'd like for you to take a look and tell me if it addresses your use case. kyle.shockey@smartbear.com.