swagger-ui: Auth Error, Error: Bad Request

Q&A (please complete the following information)

  • OS: macOs
  • Browser: chrome
  • Version: 69
  • Method of installation: npm
  • Swagger-UI version: ? swagger-ui-express 3.0.1 comes with a static directory with swagger ui.
  • Swagger/OpenAPI version: 2

Content & configuration

Example Swagger/OpenAPI definition:

securityDefinitions:
  oauth:
    type: oauth2
    tokenUrl: /oauth/token
    flow: application
security:
  - oauth: []

Swagger-UI configuration options:

// Configure Swagger Docs
let swaggerDocument = yaml.safeLoad(fs.readFileSync('./api/swagger/swagger.yaml', 'utf8'));
app.use('/docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));

Describe the bug you’re encountering

I am no longer able to authentication through live docs. Debugging the POST request to /oauth/token via chrome devtools shows that the client_id and client_secret are not being send. grant_type is and is the correct value “client_credentials”.

To reproduce…

Steps to reproduce the behavior:

  1. Go to /docs (my configured router for swagger ui via express)
  2. Click on ‘Authenticate’
  3. Enter ‘client_id’
  4. Enter ‘client_secret’
  5. Click modal ‘Authenticate’ button, which submits the form
  6. See error

Expected behavior

Should authenticate

Screenshots

screen shot 2018-09-21 at 11 50 36 am

screen shot 2018-09-27 at 10 01 49 am

Additional context or thoughts

I know that the yaml config for OAuth2 is being consumed because its giving me the OAuth2 authentication form. The break down is in sending the entered credentials.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

@pacey, can you email me about this? I have a branch here, I’d like for you to take a look and tell me if it addresses your use case. kyle.shockey@smartbear.com.

+1
shockey on Dec 5, 2018

Thanks for the clarification here. For future readers the basic authorization header is constructed by base 64 encoded a string that contains client_id and client_secret and is delimited by “:”.

+1
bozzltron on Oct 22, 2018

@bozzltron, upon further investigation, my impression is that we’re doing this correctly.

OAuth2 says (emphasis mine):

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server […] The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

https://tools.ietf.org/html/rfc6749#section-2.3.1

Since Swagger UI is able to use HTTP basic to transmit the client credentials, we do that instead of including it in the request body.

Let me know if you think I’ve misinterpreted the spec - happy to take another look.

+1
shockey on Oct 18, 2018
Read more comments on GitHub
← swagger-parser: Using external file with all definitions doesn't work
swagger-ui: Authorization (lock symbol) is rendered incorrectly →