search

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.54k stars 8.96k forks source link

After authenticating with OIDC the Authentication header has value "Bearer undefined" #9392

Open Anakin100100 opened 11 months ago

Anakin100100 commented 11 months ago

Q&A (please complete the following information)

Content & configuration

{
    "openapi": "3.1.0",
    "info": {
        "title": "",
        "summary": "",
        "version": ""
    },
    "components": {
        "securitySchemes": {
            "OpenId": {
                "type": "openIdConnect",
                "openIdConnectUrl": "openid configuration discovery endpoint"
            }
        }
    },
    "security": [
        {
            "OpenId": [
                "openid"
            ]
        }
    ]
}

The security scheme and global security definition is added manually to the openapi.json file prepared by Fastapi.

Swagger-UI configuration options:

    const ui = SwaggerUIBundle({
        url: '/openapi.json',
    "dom_id": "#swagger-ui",
"layout": "BaseLayout",
"deepLinking": true,
"showExtensions": true,
"showCommonExtensions": true,
oauth2RedirectUrl: window.location.origin + '/docs/oauth2-redirect',
    presets: [
        SwaggerUIBundle.presets.apis,
        SwaggerUIBundle.SwaggerUIStandalonePreset
        ],
    })

The response from open id url/token looks as follows:

{
    "id_token": "correct token",
    "token_type": "Bearer",
    "not_before": 1700229612,
    "id_token_expires_in": 3600,
    "profile_info": "encoded profile info",
    "scope": "openid"
}

Sensitive information has been removed

Describe the bug you're encountering

When the openid flow is finished and the id_token is obtained from the openid domain/token the Authentication header sent to our API has value "Bearer undefined". To the best of my knowledge swagger ui should obtain the access token from oauth 2 using the id token.

To reproduce...

Create and configure an application using openid connect for use in your local environment. Manually add the security definitions as above to the openapi file and log in.

Expected behavior

Access token is obtained and sent to the Fastapi app.

Screenshots

ss1 ss2

Additional context or thoughts

The noticeable difference from our frontend that uses msal for auth is not obtaining the access token after having obtained the id_token. When the request is made the access token is undefined but the auth flow is finished and the user is marked as authenticated. Similar issues were reported in the past when users would expect the security definitions to be applied by default without a global security scheme but this is not the case here.

piotrwalczak1 commented 11 months ago

@Anakin100100 after investigation this works as expected. The problem is that "id_token" is used instead of "access_token" as defined in RFC document. The documentation should be changed, to POINT THAT OUT, that when using id_token, you should change the token name in the config.