swagger-ui
swagger-ui copied to clipboard
swagger-api
OAuth ClientCredentials doesn't pass client_id and client_secret in request body.
Q&A (please complete the following information)
- OS: Windows
- Browser: Firefox
- Version: 124.0.2
- Method of installation: dist folder
- Swagger-UI version: v5.15.0
- Swagger/OpenAPI version: 3.0.1
Content & configuration
Example Swagger/OpenAPI definition:
{
"openapi": "3.0.1",
"info": {
"title": "Test Api",
"description": "testy testy",
"version": "v1"
},
"paths": {
"/api/rating-unit": {
"post": {
"tags": [
"Property"
],
"summary": "Create a rating unit changed notification",
"requestBody": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/CloudEvent"
}
}
}
},
"responses": {
"201": {
"description": "Created"
}
}
}
}
},
"components": {
"schemas": {
"CloudEvent": {
"required": [
"data",
"id",
"source",
"specversion",
"subject",
"time",
"type"
],
"type": "object",
"properties": {
"data": {
"$ref": "#/components/schemas/Data"
},
"id": {
"type": "string",
"format": "uuid",
"example": "5565db35-01a9-4596-b611-9b26d2210c6e"
},
"specversion": {
"minLength": 1,
"type": "string",
"example": 1
},
"source": {
"minLength": 1,
"type": "string",
"example": "/1/S1D200/ZA_RE_PROPERTY"
},
"subject": {
"minLength": 1,
"type": "string",
"example": "NoticeOfChange"
},
"time": {
"type": "string",
"format": "date-time"
},
"type": {
"minLength": 1,
"type": "string",
"example": "sap.s4.refx.ratingunit.Changed.v1"
}
},
"additionalProperties": false
},
"Data": {
"required": [
"ratingUnits"
],
"type": "object",
"properties": {
"ratingUnits": {
"type": "array",
"items": {
"$ref": "#/components/schemas/RatingUnit"
}
}
},
"additionalProperties": false
},
"RatingUnit": {
"required": [
"ratingUnitNumber"
],
"type": "object",
"properties": {
"ratingUnitNumber": {
"minLength": 1,
"type": "string",
"example": 5010000141
}
},
"additionalProperties": false
}
},
"securitySchemes": {
"oauth2": {
"type": "oauth2",
"flows": {
"clientCredentials": {
"tokenUrl": "https://login.microsoftonline.com/99cf3097-888d-4695-bf1f-f3856b777551/oauth2/v2.0/token",
"scopes": {
"0eb0f66f-85af-47ca-872c-29b161bf36b7/.default": "Reads the Weather forecast"
}
}
}
}
}
},
"security": [
{
"oauth2": [ ]
}
]
}
Describe the bug you're encountering
I am trying to get an Authorization token in Swagger-UI from Microsoft's Entra ID (formerly known as Azure AD) using client credentials flow. However, I get a 400 because Swagger-UI is not passing the client_id and client_secret in the request body, which Entra ID requires.
An older issue was having the same problem but using Auth0. https://github.com/swagger-api/swagger-ui/issues/4533
To reproduce...
Steps to reproduce the behavior:
- Go to https://editor.swagger.io/
- Paste my swagger.json above
- Press the Authorize button
- Enter client_id abc and client_secret def
- Press the Authorize button
- In Browser dev tools, click on the request to login.microsoftonline.com which has thrown a 400 (we're gonna ignore the CORS error for now, that's another issue)
- Click on Request - notice that only grant_type and scope have been sent in the request - client_id and client_secret are missing. (They are instead sent in an Authorization header). N.B. I have also reproduced this by running latest v5.15.0 of Swagger-UI on my localhost.
Expected behavior
Please add a configuration value to allow us to send the client_id and client_secret in the request body instead of in the Authorization header (current behaviour).
Screenshots
Related issue: https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/2544
