search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.63k stars 8.97k forks source link

Swagger-ui does not send the response_type parameter for openid connect authentication #7894

Open alhoo opened 2 years ago

alhoo commented 2 years ago

Q&A (please complete the following information)

Content & configuration

The openId Connect dows not work with openapi3 and swagger.

Example Swagger/OpenAPI definition:

openapi: 3.0.1
info:
  description: "This is a sample."
  version: "1.0.0"
  title: "Swagger Petstore"
paths:
  /pet:
    get:
      tags:
      - "pet"
      summary: "Add a new pet to the store"
      description: ""
      operationId: "addPet"
      responses:
        "405":
          description: "Invalid input"
      security:
      - petstore_auth:
        - "email"
components:
  securitySchemes:
    petstore_auth:
      type: openIdConnect
      openIdConnectUrl: https://accounts.google.com/.well-known/openid-configuration

Describe the bug you're encountering

When I click authorize and select the last option in the authorization options, I get an error.

Authorization Error
Error 400: invalid_request
Required parameter is missing: response_type

To reproduce...

Steps to reproduce the behavior:

  1. Go to https://editor.swagger.io/
  2. Paste the above config
  3. Click authorize
  4. Select the last authorization option with all scopes
  5. See the error message

Expected behavior

Minimal openapi3 config with openid connect authentication should allow login.

Additional context or thoughts

Is there a way to set the response_type some how? Maybe this is only a documentation issue.

alhoo commented 2 years ago

Ok after studying this a bit, I think the issue is that swagger is showing openid authentication methods that are not supported. Google supports the following grant types:

"grant_types_supported": [
  "authorization_code",
  "refresh_token",
  "urn:ietf:params:oauth:grant-type:device_code",
  "urn:ietf:params:oauth:grant-type:jwt-bearer"
 ]

And we only support the first one. Also using the jwt-bearer requires setting nonce.

https://developers.google.com/identity/protocols/oauth2/openid-connect

alhoo commented 2 years ago

Maybe swagger should show that some authorization methods are not available, are disabled or need more configuring?