Automatic token refresh for REST API with OpenID Connect authentication?

[retrofreak83]

Q&A (please complete the following information)

• OS: Linux Mint 20.1
• Browser: Chromium
• Version: 90.0.4430.93
• Method of installation: by Springdoc 1.5.8
• Swagger-UI version: 3.47.1
• Swagger/OpenAPI versionOpenAPI 3.0

Content & configuration

I am developing an application having a REST API that is secured by Spring Security, using Keycloak to provide OpenID Connect functionalities. The OpenAPI specification is generated using Springdoc. AFAIK, the correct way of getting SwaggerUI to authenticate against OpenID Connect is to use OpenID Connect Discovery.

Swagger/OpenAPI definition:

openapi: 3.0.1
info:
  title: NEW API
  description: This document specifies the API of NEW
  version: v0.1-SNAPSHOT
servers:
  - url: 'http://localhost:8080'
    description: Generated server url
security:
  - oidc: []
paths:
  /p/list:
    get:
      tags:
        - plugin-controller
      operationId: getAllOperations
      responses:
        '200':
          description: OK
          content:
            '*/*':
              schema:
                type: array
                items:
                  type: string
        '400':
          description: Bad Request
          content:
            '*/*':
              schema:
                $ref: '#/components/schemas/JSONResponse'
        '401':
          description: Unauthorized
          content:
            '*/*':
              schema:
                $ref: '#/components/schemas/JSONResponse'
        '403':
          description: Forbidden
          content:
            '*/*':
              schema:
                $ref: '#/components/schemas/JSONResponse'
        '500':
          description: Internal Server Error
          content:
            '*/*':
              schema:
                $ref: '#/components/schemas/JSONResponse'

components:
  schemas:
    JSONResponse:
      type: object
      properties:
        errorData:
          type: string
          description: the raw error data
        token:
          type: string
  securitySchemes:
    oidc:
      type: openIdConnect
      openIdConnectUrl: 'http://localhost:8888/auth/realms/new/.well-known/openid-configuration'

How can we help?

Authorization works well in principal, but the application needs to do a token refresh automatically and regularly. Currently, I can send valid request to the API until the validity of the token acquired during login has expired. In the SwaggerUI documentation, I did not find how to configure such a thing like token refresh. Is SwaggerUI able to perform an automatic token refresh or is there eventually a possibility that the user can trigger it manually?

[Eli-Black-Work]

We're looking for this as well.

[major-mayer]

Same problem here using Swagger UI with FastAPI. I can specify a refresh_url in the oauth2_schema, but this doesn't work as expected:

oauth2_scheme = OAuth2AuthorizationCodeBearer(
    authorizationUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["authorization_url"],  # The endpoint to get the authorization token
    tokenUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["token_url"],    # The endpoint to get the actual access token
    refreshUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["token_url"]
)

[Eli-Black-Work]

We tried specifying refreshUrl, too, but weren't able to get it to work.

[labedzkim]

Having this would help much in testing our APIs.

[tim-lai]

afaik, Swagger UI does not currently have token refresh. Happy to accept contributions, especially in this subject of authorization/authentication. 😉

[tim-lai]

Thinking about this more, one might be able to use requestIntercepters to define custom handling to an auth request.

[alexted]

Any progress on this problem? I also need this functionality.

[rakum23]

Any progress on this? it will be great help for developers

[xianrui69]

function authorize() { if ($('.btn.authorize').length < 1) return; if (!web.getCookie('accessToken')) return; let a = { CoreAPI: { name: 'CoreAPI', schema: swg_ui.authSelectors.definitionsToAuthorize().get(0).get('CoreAPI'), value: 'Bearer ' + web.getCookie('accessToken') } } swg_ui.authActions.authorize(a) }

[rozzilla]

Any progress on this? it will be great help for developers

+1

[amanuel-girma]

I am also looking for this feature in swagger, is there any progress?

[ogurevich]

+1

[AswiniKumarV]

Is there any update on this feature? Do you know anything @tim-lai

[hjrb]

I'm suffering with you

[sajankp]

Wished the fastapi docs could do this

[tarun3301]

any progress in this?

[tom300z]

For anyone looking for a quick workaround i've written this js which automatically patches OAuth token refreshing into SwaggerUI at runtime: https://gist.github.com/tom300z/ee48163e5c58e8572a251a593f2026e7

[hjrb]

For anyone looking for a quick workaround i've written this js which automatically patches OAuth token refreshing into SwaggerUI at runtime: https://gist.github.com/tom300z/ee48163e5c58e8572a251a593f2026e7

If you are getting "Cannot patch OAuth token refresh hook. Missing patch target function "window.ui.authActions.authorizeOauth2". This is how I include the custom-swagger.js in a ASP.NET Core 8 app in the programs.cs of the web application server

    app.UseSwaggerUI(c => {
        // ...
        c.InjectJavascript("/custom-swagger.js");
//...
    });

Still getting the error

[SthPhoenix]

For anyone looking for a quick workaround i've written this js which automatically patches OAuth token refreshing into SwaggerUI at runtime: https://gist.github.com/tom300z/ee48163e5c58e8572a251a593f2026e7

Any hints on how to actually inject this js into swagger? Using i.e. FastAPI?