search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.14k stars 8.88k forks source link

Basic Authorization Header is not correctly encoded in requests to OIDC servers #8073

Open Suchiman opened 2 years ago

Suchiman commented 2 years ago

Q&A (please complete the following information)

Content & configuration

    "securitySchemes": {
      "oidc": {
        "type": "openIdConnect",
        "openIdConnectUrl": "https://example.com/.well-known/openid-configuration"
      }
    }

Describe the bug you're encountering

When using a ClientId or ClientSecret that contains non ASCII characters, then a compliant OIDC server will reject the Authorization Header from swagger-ui due to the clientid / clientsecret not being application/x-www-form-urlencoded, trying to interpret the unicode characters as ASCII. https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

To reproduce...

  1. Open swagger
  2. Authenticate via client_credentials using a ClientSecret that contains § for example.
  3. OIDC server will respond with "invalid client credentials"

Expected behavior

If the OpenAPI specification states an openIdConnectUrl that specifies client_secret_basic, then the basic credentials should be application/x-www-form-urlencoded prior to base64 encoding. For OAuth2 servers, the most compatible option is probably the current behavior.

hkosova commented 1 year ago

Related (or duplicate): #5123