Open plk opened 5 years ago
@plk that's correct, Swagger UI doesn't currently support scheme: negotiate
. This is the first time support for it has been requested 😄
For now, the best option is what you mentioned - go through your auth flow in your user agent. I'm going to tag this as a feature request so we can track direct support for it in Swagger UI.
I'm surprised as so many companies use this internally now and so many use Windows auth for APIs. I know of dozens of such use cases coming up currently. I can test this if there are any beta releases.
I don't understand @plk's requirement. We are a large enterprise and we do use either SPNEGO or certificate-based authentication. Both are supported with OAS 3.1.0 only. There is nothing Swagger UI can do here, but one thing: don't display authenticate because in both cases the browser will do it for you automatically, you don't have any control over. The padlock should be locked and considered as autologon.
Well, Swagger UI uses curl to send the request for the "Try it Out" functionality so I'm not sure the browser is relevant here? When I looked at the requests coming in, there was no attempt to do SPNEGO from the curl requests generated by Swagger UI and so I would assume that when in OAS 3.1, we specify security: Windows []
or whatever, then Swagger UI needs to pass the relevant arguments to the curl requests to use SPNEGO?
??? Swagger does not use curl, it uses the browser to perform the request. Providing the curl request is just convenience. All you need for a complete curl request is --negotiate -u :
Sorry, I was confused about this. The problem, when I looked at the requests sent by Swagger UI, was that the Negotiate headers were not being sent/responded to for some reason. I couldn't get an NTLM authenticated API to work at all and assumed that this was a missing feature as it wasn't sending/responding in the right way but you are saying that this should work?
I will recheck on Monday and will let you know
Just tried Swagger UI on a non-existing, but constraint endpoint. The response is:
``´
date: Mon, 21 Oct 2019 08:53:40 GMT
server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd mod_auth_gssapi/1.6.1
x-frame-options: SAMEORIGIN
cache-control: private
expires: Thu, 01 Jan 1970 00:00:00 GMT
www-authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPqo20Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPq
content-type: text/html;charset=utf-8
content-language: de
content-length: 1058
correlation-id: Xa1yESYEQYW3ZEzbgwxkYwAAAMY
keep-alive: timeout=300, max=94
connection: Keep-Alive
As you can see the server properly returns a ticket to complete the security context.
You are correct, I cannot remember exactly what I saw originally with this but I think this should be closed. Apologies for the confusion.
This should not be closed, but the above case (autologon) should be implemented in Swagger UI.
That would be helpful, yes. I can’t get SPNEGO to work with the UI in Edge or Firefox but it does work with IE, which I suspect was the source of the original confusion. I suspect this is due to corporate browser setup however.
Firefox and Chrome work perfectly. Edge shall work too. It is simply a setup issue with your client.
Just tried Swagger UI on a non-existing, but constaint endpoint. The response is:
``´ date: Mon, 21 Oct 2019 08:53:40 GMT server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd mod_auth_gssapi/1.6.1 x-frame-options: SAMEORIGIN cache-control: private expires: Thu, 01 Jan 1970 00:00:00 GMT www-authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPqo20Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPq content-type: text/html;charset=utf-8 content-language: de content-length: 1058 correlation-id: Xa1yESYEQYW3ZEzbgwxkYwAAAMY keep-alive: timeout=300, max=94 connection: Keep-Alive
As you can see the server properly returns a ticket to complete the security context.
Can you please give an example of how did you get it working ?
Just tried Swagger UI on a non-existing, but constaint endpoint. The response is: ``´ date: Mon, 21 Oct 2019 08:53:40 GMT server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd mod_auth_gssapi/1.6.1 x-frame-options: SAMEORIGIN cache-control: private expires: Thu, 01 Jan 1970 00:00:00 GMT www-authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPqo20Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPq content-type: text/html;charset=utf-8 content-language: de content-length: 1058 correlation-id: Xa1yESYEQYW3ZEzbgwxkYwAAAMY keep-alive: timeout=300, max=94 connection: Keep-Alive
As you can see the server properly returns a ticket to complete the security context.
Can you please give an example of how did you get it working ?
You mean in my YAML file?
the above case (autologon) should be implemented in Swagger UI.
Yes, please show the output of the swagger.json
so that we would have a reference on the swagger configurations.
Use case example: https://github.com/domaindrivendev/Swashbuckle.WebApi/issues/340
I see that OAS3 allows for "negotiate" authentication but Swagger-UI seems not to implement this? This is a very common thing in corporate APIs, naturally. Swagger-UI does not do the usual Windows Negotiate header exchange with the "Try It Out" functionality even though identical requests work fine with NTLM/Kerberos negotiated authentication directly in the browser. If there is any way to get this to work, would be interested.