search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.55k stars 8.96k forks source link

Support OAuth 2.0 Client credentials flow with credentials in a body #9127

Open lazystone opened 1 year ago

lazystone commented 1 year ago

Duplicate of #6125 but with more details.

According to https://datatracker.ietf.org/doc/html/rfc6749#section-2.3

If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server.

That is actually implemented in OpenID for confidential clients: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

So, OpenID considers client authentication method as a MUST and does not allow alternatives, RFC does not say anything on that matter, so my bet is that OpenID follows a standard here.

Problem is that many Clients are generated with client_secret_post authentication method and DO NOT support client_secret_basic(my guess just because parameters in body are easier for developers), and the same client credentials can't be used in Swagger UI then.

Workaround here would be to generate separate clients, but that defies the whole purpose of Swagger UI when it's being used for investigations or troubleshooting.

It would be super nice if Swagger UI could support credentials in a body, since it's actually a part of specification and in reality used by widely used tools like OpenID.

P.S.: Unlike #6220 I suggest to make it an UI fix only - there is no need to make any changes in OpenApi specification itself, since it's not possible to know what kind of client will be used.

Instead it could be a simple checkbox in the UI specifying how to pass credentials(header or body).

ahmadakhmiev commented 1 year ago

We use Azure AD to generate tokens and passing the client_id/client_secret in Authorization header doesn't work with Azure AD.

peteraritchie commented 10 months ago

Related to #6125?

bedadiggelmann commented 9 months ago

I am facing the same issue with Azure B2C as token provider. Client id and client secret need to be passed in the body. See: Azure B2C - Obtain an access token

lazystone commented 9 months ago

Related to #6125?

It's in the description.

akozmic commented 9 months ago

Also ran into issue with Azure B2C token. Right now we cannot use Swagger for Client-Credentials because Microsoft only accepts the ClientId/Secret in POST body instead of Authorization header.

I understand the RFC docs state

The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

The problem is that it makes it impossible to work with any 3rd-parties that don't maintain that strict adherence to the RFC, and often we as developers don't have a choice in the matter. In this case, the provider isn't some small one-man shop, it's Microsoft.

It's perfectly logical that a tool would strictly adhere to the RFC by default but these types of options are essential to work in the exception cases or we're left with no recourse.

JJRdec commented 8 months ago

Any movement on this?