Swashbuckle.AspNetCore: Available Authorizations modal is empty with v5 OpenIdConnect configuration

Running .Net Core 2.2 and Swashbuckle.AspNetCore 5.0.0-rc2.

Trying to setup OIDC configuration, but the Available Authorizations modal is blank, so cannot proceed with authentication.

Configuration as follows:

services.AddSwaggerGen(c => {
...
c.AddSecurityDefinition("token", new OpenApiSecurityScheme {
    Type = SecuritySchemeType.OpenIdConnect,
    OpenIdConnectUrl = new Uri($"https://login.microsoftonline.com/{tenant}/v2.0/.well-known-openid-configuration")
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement {
    {
        new OpenApiSecurityScheme {
            Reference = new OpenApiReference {Type = ReferenceType.SecurityScheme, Id = "token"
        }, new string[] { }
    }
});
...
});

services.UseSwaggerUI(c => {
...
c.OAuthClientId(_clientId);
...
});

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 22
  • Comments: 27 (3 by maintainers)

Most upvoted comments

I met the same issue before and resolved it.

Now the available Authorization header works fine.

Please check my latest sample using SwashBuckle v5.5.1 and netcore 3.1 https://github.com/capcom923/MySwashBuckleSwaggerWithJwtToken

send-authorization-header

+16
capcom923 on Jul 2, 2020

Is there an example I can follow on how to configure Swashbuckle to use OIDC?

+12
Alex-Torres on Feb 9, 2021

OpenID Connect Discovery is now supported in Swagger UI v. 3.38.0.

+8
hkosova on Dec 10, 2020

Any update on this?

+7
marcinjahn on Jun 5, 2020

@cjamesrohan I’ve managed to populate the Available Authorization pop up with the required action items. My Startup.cs file looks as follows:

ConfigureServices method

...
 services.AddSwaggerGen(c =>
            {
                c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
                {
                    Name = "oauth2",
                    Type = SecuritySchemeType.OAuth2,
                    Scheme = IdentityServerAuthenticationDefaults.AuthenticationScheme,
                    Flows = new OpenApiOAuthFlows()
                    {
                        Implicit = new OpenApiOAuthFlow()
                        {
                            Scopes = new Dictionary<string, string>
                     {
                         { _scope, _scope }
                     },
                            AuthorizationUrl = new System.Uri($"{_oAuthAuthority}/connect/authorize"),
                            TokenUrl = new System.Uri($"{_oAuthAuthority }/connect/token")
                        }
                    }
                });

                c.OperationFilter<AssignOAuth2SecurityRequirements>();
                c.OperationFilter<SwaggerControllerFilter>();
                c.SwaggerDoc("v1", new OpenApiInfo { Title = $"API (v1)", Version = "v1" });
            });
...

where AssignOAuth2SecurityRequirements Operation filter class is:

public class AssignOAuth2SecurityRequirements : IOperationFilter
    {
        public void Apply(OpenApiOperation operation, OperationFilterContext context)
        {
            // Determine if the operation has the [Authorize] attribute
            var actionAttributes = context.ApiDescription.ActionDescriptor as ControllerActionDescriptor;
            var authorizeAttributes = context.ApiDescription.CustomAttributes()
            .Union(actionAttributes.MethodInfo.CustomAttributes)
            .OfType<AuthorizeAttribute>();

            if (!authorizeAttributes.Any())
                return;

            if (!operation.Responses.ContainsKey("401"))
            {
                // Indicate that their could be a 401 response
                operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" });
            }

            // Initialize the operation.security property if it hasn't already been
            operation.Security ??= new List<OpenApiSecurityRequirement>();

            var oAuthRequirements = new OpenApiSecurityRequirement
            {
                {
                    new OpenApiSecurityScheme
                    {
                        Reference = new OpenApiReference
                        {
                            Type = ReferenceType.SecurityScheme,
                            Id = "oauth2"
                        }
                    },
                    new[] { "api1" }
                }
            };

            operation.Security.Add(oAuthRequirements);
        }
    }

Note:

  1. Reference object inside OpenApiSecurityRequirement of the [Authorize]d operation should have reference to the Name of the same SecurityScheme you define inside services.AddSwaggerGen.AddSecurityDefinition (i.e. your global SecurityDefinition)(as shown above)
  2. I’m implementing OAuth2 implicit flow.

I hope this helps.

+6
dev-victory on Oct 1, 2019

I had a similar issue where “Available authorizations” was appearing empty when using openIdConnect. After some frustrating debugging, I discovered it was a CORS issue. My auth server is on a different domain so when swagger-ui attempts to fetch the /.well-known/openid-configuration it is blocked by the CORS policy. Try loading swagger-ui with the developer console open and check for errors. Firefox seems better at reporting CORS issues than Chrome.

+5
cdowney on Jun 9, 2021

From the Swagger docs

OIDC is currently not supported in Swagger Editor and Swagger UI. Please follow this issue for updates

And here’s the related issue in the swagger-ui repo: https://github.com/swagger-api/swagger-ui/issues/3517

+5
domaindrivendev on Sep 3, 2020

It looks like OpenIDConnect is not supported in the Swagger UI that Swashbuckle takes a dependency on: https://github.com/swagger-api/swagger-ui/issues/3517

And it does not look like it’s on the roadmap either: https://github.com/swagger-api/swagger-ui/issues/5473

+5
wterpstra on Dec 14, 2019

@capcom923 We are hoping to get it to work with SecuritySchemeType.OpenIdConnect which your sample doesn’t resolve at all.

+4
IngoVals on Sep 2, 2020

We have the same issue.

We are running .net core 3.0.0 with Swashbuckle.AspNetCore 5.0.0-rc4 The issue only seems to affect the type SecuritySchemeType.OpenIdConnect.

+4
HitDaCa on Nov 20, 2019

Is there an example I can follow on how to configure Swashbuckle to use OIDC?

@Alex-Torres This isn’t a working sample, but maybe somebody could point out if there is an issue with the following securityScheme, and then from there use that as a working example? It seems like the problem is with SwaggerUI , rather than Swashbuckle

securitySchemes:
    oidc:
        type: openIdConnect
        # IdentityServer4
        openIdConnectUrl: https://localhost:5000/.well-known/openid-configuration

The openApi.json file is being generated by the Swashbuckle.AspNetCore package, but the SwaggerUI project is running using the 3.43.0 docker image, in an attempt to isolate the SwaggerUI project with the latest OpenId connect support

docker run -it -p 80:8080 -e API_URL="http://localhost:5003/swagger/v1/swagger.json" swaggerapi/swagger-ui:v3.43.0

Edit I tried adding the security section as below, but the modal is still empty

security:
  - oidc:
      - pets_read
      - pets_write
      - admin
+3
FinHorsley on Feb 18, 2021

From the Swagger docs

OIDC is currently not supported in Swagger Editor and Swagger UI. Please follow this issue for updates

And here’s the related issue in the swagger-ui repo: swagger-api/swagger-ui#3517

I also have an open ticket somewhere for swagger-ui. Thanks for your response @domaindrivendev! Whenever this gets implemented by them, is there a plan to finish implementation in Swashbuckle? Just curious.

+1
cjamesrohan on Sep 3, 2020
Read more comments on GitHub
← Swashbuckle.AspNetCore: Authorization Header not being sent from Swagger UI 5.0.0-rc5
Swashbuckle.AspNetCore: CLI is not working with project referencing Autofac →