swagger-ui: Swagger-ui oauth2 accesscode flow not working correctly

Hi All,

I started using swagger-ui to use with oauth2 access code flow with interactive facility( Try it out feature) I downloaded latest master version and copied ‘dist’ folder and run ‘live-server’ by mounting to dist folder.It loads my test.yaml file and “Authorize” also will be appeared(But it is showing unlock icon though). Refer unlock-icon.png

Anyway once i click Authorize button, it shows the popup and i can enter client id and secret too. Refer authorize-popup.png

Then once i click Authorize button with correct client id and secret it will open a new window and i can see the generated code with the redirect url. But problem is, it won’t close that window and it remain in the same page. That new window url something like this http://localhost:3200/oauth2-redirect.html?code=fs-QFeYgj-bpXLjs8Fbak2pm2DwZZs0hc4QU0gKV&state=RnJpIEp1biAwMiAyMDE3IDExOjU4OjQ2IEdNVCsxMDAwIChBRVNUKQ%3D%3D

Can you just explain is this something on my code or defect? i spend more than 3 days to fix this issue with several tricks, but didn’t success.

My security definitions on the yaml file looks like follow

securityDefinitions:
  OauthSecurity:
    type: oauth2
    flow: accessCode
    authorizationUrl: https://xxxxxx.xxxxx.xxxx/as/authorization.oauth2
    tokenUrl: https://yyyyy.yyyyy.yyyyy/as/token.oauth2
    grantType: authorization_code
    scopes:
      admin: Admin things

security:
 - OauthSecurity:
    - admin

Thank you very much for your help. Really looking forward for a quick reply 😃 authorize-popup unlock-icon

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 87 (16 by maintainers)

Commits related to this issue

fixes #3172 — committed to bodnia/swagger-ui by bodnia 7 years ago
Merge pull request #3204 from bodnia/fix-3172 fixes #3172 — committed to swagger-api/swagger-ui by bodnia 7 years ago
#3172 added Access-Control-Allow-Origin for auth requests — committed to bodnia/swagger-ui by bodnia 7 years ago
Merge pull request #3206 from bodnia/fixes-3172 #3172 added Access-Control-Allow-Origin for auth requests — committed to swagger-api/swagger-ui by bodnia 7 years ago

Most upvoted comments

@phenbach security must be an array.

"security": [
		{
			"qud_auth": [
				"qud_user",
				"bb_user"
			]
		}
	]

bodnia on Jun 9, 2017

I ran into this problem last night and finally solved this issue but ran into another one. As far as fixing the above try using the oauth2-redirect.html in the dev-helpers folder. You will notice the oauth2.callback on line 39 has a couple of parameters that are needed.

oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});

Unfortunately for me when I attempt to try out the endpoint, my token is not included at all with the curl request. Can you report back if you experience the same issue?

phenbach on Jun 2, 2017

It looks like CORS (cross-origin resource sharing) isn’t configured on the server you are accessing. There should be some “Access-Control-…” headers on the response. I think you should consider reading a bit about how CORS works.

abustya on Jun 13, 2017

This isn’t your POST request, it’s a preflight request, that checks if cross-origin requests are allowed to the endpoint. You can see that the request method is OPTIONS. The “Access-Control-Request-Method: POST” is a header, that shows, that the browser would like to do a POST and asks if it’s possioble.

This is why the “content” isn’t sent yet.

The problem is with the server you are trying to communicate with, some access policy is configured badly and it “catches” OPTIONS requests as well. Or it doesn’t have CORS enabled at all…

abustya on Jun 8, 2017

@bodnia Are you sure the “Access-Control-Allow-Origin” is being used correctly here? As I understand, this is a strictly a response header (a server puts this in the response for an OPTIONS request), but now it is included in POST requests. As this isn’t an expected header in requests, the OAuth server we are using rejects it.

“browser doesn’t allow to fetch anything to another domain. I need to put ‘access-control-allow-origin’ back to the code” CORS requests should be enabled in the server at the “another domain”, not in the client code…

abustya on Jun 8, 2017

@chanurahemal the fix is in the latest master

bodnia on Jun 8, 2017

@chanurahemal browser doesn’t allow to fetch anything to another domain. I need to put ‘access-control-allow-origin’ back to the code.

bodnia on Jun 8, 2017

Thank you @bodnia. I will test very soon and let you know for sure.

chanurahemal on Jun 8, 2017

(Replacing the oauth2-redirect.html with the one in the dev-helpers fixes the first issue.)

abustya on Jun 6, 2017

I’m having similar issues with the accessCode flow, and am interested in some fix.

In my case: The oauth2-redirect page also does’t close, and in the chrome console I can see the following error:

If I return to the main swagger-ui page, I also see a “failed to fetch” error. As I see, the problem here is with CORS. In the console I get this error:

“Request header field access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response.”

And in the preflight request for the POST that would return the access token I see the following:

And it’s true, the “access-control-allow-origin” is not in the allowed headers, but I don’t understand why it would even be requested…

abustya on Jun 6, 2017

@chanurahemal If I find a solution I will post back, please do the same if you find one.

phenbach on Jun 2, 2017