Open mihalios opened 4 years ago
I think I've found the same problem as @mihalios, using Win 10/Firefox 84.0.2. This is the screenshot of the error message:
The Api repo is here
Edit: This is the identity server log:
2021-01-23 11:42:46.069 +07:00 [ERR] Request validation failed
2021-01-23 11:43:18.227 +07:00 [ERR] Invalid authorization code{"code":"Ze3nOl7CzFrgiXo363R88k_uecCR8fOdgz8ZMGQf2cs"}, details: {"ClientId":"JokizillaApiSwagger","ClientName":"Jokizilla Api Swagger","GrantType":"authorization_code","Scopes":null,"AuthorizationCode":"Ze3nOl7CzFrgiXo363R88k_uecCR8fOdgz8ZMGQf2cs","RefreshToken":null,"UserName":null,"AuthenticationContextReferenceClasses":null,"Tenant":null,"IdP":null,"Raw":{"grant_type":"authorization_code","code":"Ze3nOl7CzFrgiXo363R88k_uecCR8fOdgz8ZMGQf2cs","client_id":"JokizillaApiSwagger","redirect_uri":"https://xxx.xxx/swagger/oauth2-redirect.html","code_verifier":"N6llLvrq841it4kwlTYh-Ui4DMv17J8cT5wQmGdyJGE"},"$type":"TokenRequestValidationLog"}
Regards,
Martinus
Does anyone have a fix or workaround? - Besides manually clearing cookies via hard refresh or similar.
@MikaelElkiaer you don't need to clear cookies or do a hard refresh. The issue I raised concerns login/logout/re-login from the same OAuth pop-up. If you login, then logout, then close the pop-up and click again on 'Authorize' it'll work.
This is more of a UX bug than anything else.
To answer your question, I'm not aware of a fix/workaround.
@miha-lios The workaround is actually to close and open the pop-up. It seems that the authorization code is not cookie cached, but saved within the pop-up.
Thanks for clarifying that. :)
I met this issue in my development with swagger-ui v5.12.0.
I found the reason behind is that the code of the 1st time authorization is stored and not covered by the code of the 2nd time authn.
I tried
authorized.setIn([authorizedName, "code"], "")
in customized logout, failed.
Here is the server side log, it shows a new code generated and sent back to frontend, but the old code used in new authn:
OK, I found this issue could be resolved by emptying the payload.auth.code in authorizeOauth2 as following:
window.onload = function() {
window.ui = SwaggerUIBundle({
url: urlParam,
dom_id: '#swagger-ui',
deepLinking: true,
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIStandalonePreset
],
plugins: [
SwaggerUIBundle.plugins.DownloadUrl,
function() {
return {
statePlugins: {
auth: {
wrapActions: {
authorizeOauth2: (oriAction, system) => (payload) => {
payload.auth.code = ""
return oriAction(payload)
}
}
}
}
}
}
],
layout: "StandaloneLayout",
});
};
Q&A (please complete the following information)
Describe the bug you're encountering (includes steps to re-produce)
Expected behavior
User should be able to authorize/logout/authorize/etc in the same pop-up.
Screenshots
Unfortunately I cannot upload the screenshot at the moment. The error appears in the OAuth pop-up, in a red banner above the 'Authorize' and 'Close' buttons.
Additional context or thoughts
I've yet to verify my hypothesis but I suspect that Swagger UI is not clearing the auth code upon logout. So when the user tries to re-authorize, in the same pop-up, Swagger re-uses the auth code, which is only good strictly for one request (the first one).