My spec is as below.
/path:
/user:
get:
parameters:
- name: Authorization
in: header
required: true
schema:
type: string
Problem is that it is giving me the below warning. I get the same warning if I add Content-Type or Accept header.
Header parameters named Authorization are ignored. Use securitySchemes and security to define the Authorization
I tried the below but I don't see Authorization header added in the request. I am using https://editor.swagger.io to create the spec.
/path:
/user:
get:
parameters:
- name: Authorization
in: header
required: true
schema:
type: string
security:
- my_auth: []
components:
securitySchemes:
my_auth:
type: http
scheme: bearer
bearerFormat: JWT
Any help is appreciated. Thanks !!
In the request parameters, there are operation's specific parameters.
The general purpose HTTP headers aren't defined here because:
Content-Type is defined by the request body content. If there are multiple content types, the consumer has to choose and set Content-Type accordingly.
Accept is similar; it only relates to the response message.
For security, we do not describe the Authorization header but instead define the security scheme (see docs for more).
You may use the description property to explain how to use these headers with your API. However, if your API follows standards, it should not be necessary.
Once you have added the security schema to your API definition, you can use the Authorization function of Swagger Editor. So, you will add your token and trigger "Try it out." Swagger will populate the Authorization header; see the attached screenshot.
Related
I'm new to OpenApi and Swagger Ui,I tried Using this but this gives me a response as unable to login and the request Url is correct so I don't understand what i'm doing wrong and i tried using postman with the same url and in the header i'm passing Authorization:{"token":"TOKEN","refreshToken":"REFRESHTOKEN"} it works there:
parameters:
- in: header
name: Authorization
content:
application/json:
schema:
type: object
properties:
token:
type: token
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjYwNTFiNGE0MmJhZGI0MTlkZTA5MDRhZiIsImVtYWlsIjoic2hpdmFteWFkYXYucy5rLnlAZ21haWwuY29tIiwiZXhwaXJ5RGF0ZSI6IjIwMjEtMDktMjhUMDA6MDA6MDAuMDAwWiIsInByb3RvY29sIjpmYWxzZSwicGxhblR5cGUiOiJwYWlkIiwidHlwZSI6MSwiY3VycmVudFZlcnNpb24iOiIwLjIuOSIsImJldGFWZXJzaW9uIjoiMC4yLjkiLCJpYXQiOjE2MjU0ODE2MjQsImV4cCI6MTYyNTQ4MzQyNH0.p1KmZkxbieH6lWr6JURbHgHBpkJngJYzlrHOMEWAbXk"
refreshToken:
type: token
example: "5PrWmJyxheJ4hUY2bEHsZBtXRcJhY7v7I4jb9PmwxL9zaMgF8FalWatnl5YOT316y9IiQFzUsBDWyFay6tTR3vP6USaz0DqZ9l0obLGMCP8nmGhMvDQwTaZXGMXqisDy"
required: true
Header parameters named Accept, Content-Type and Authorization are not allowed. check this doc
I'm using springfox-swagger 3.0.0 to generate the Swagger UI (so I don't have much control over the Swagger UI code), and for my oauth2 authorization I've defined an application flow.
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_APPLICATION;
token_url: "/oauth2/token";
scopes: {
scope: {
key: "api"
value: "Grants access to api"
}
}
}
}
Now my problem is that the client ids my system uses, contains colon ":" characters, which are also use to separate client id from client secret in the authorization header. This messed up the logic at the token endpoint.
authorization: Basic YXBpOjk1NmZkYmEzLWE1ZmEtNDk0MS1iZDAzLWY3NGY0ZmNhYjM1ZjpzWFNXVlBpcklSN1dsUkRvOG9lNFM2VTR3OEI0VFg4VUUwNm9QR2FyWmVn
If I URL encode my client id value before passing it to the client_id field in the swagger console, everything works ok.
authorization: Basic YXBpJTNBOTU2ZmRiYTMtYTVmYS00OTQxLWJkMDMtZjc0ZjRmY2FiMzVmOnNYU1dWUGlySVI3V2xSRG84b2U0UzZVNHc4QjRUWDhVRTA2b1BHYXJaZWc=
Any idea how can I instruct swagger to URL encode the client id field value before packaging it in the header?
Thanks
You'll have to fork Swagger UI and implement the necessary change in your fork. Then, since you're using Springfox, you'll need to point it to your custom Swagger UI fork instead of the bundled version.
The code that constructs the Authorization header for OAuth requests lives here:
https://github.com/swagger-api/swagger-ui/blob/master/src/core/plugins/auth/actions.js
Tweak either the authorizePassword or authorizeApplication function (depending on your grant type) to percent-encode the clientId:
Authorization: "Basic " + btoa(encodeURIComponent(clientId) + ":" + clientSecret)
I am facing fellow two problems related to Swagger open API
I am not able to pass custom header through swagger open API while calling my API, please suggest how can we pass custom header, through swagger open API.
When I added POI dependency on my project's pom.xml, it stopped working through swagger open API, however, it is working with the postman, please suggest what could be the issue.
From Describing Parameters:
An API call may require that custom headers be sent with an HTTP request. OpenAPI lets you define custom request headers as in: header parameters. For example, suppose, a call to GET /ping requires the X-Request-ID header:
GET /ping HTTP/1.1
Host: example.com
X-Request-ID: 77e1c83b-7bb0-437b-bc50-a7a58e5660ac
Using OpenAPI 3.0, you would define this operation as follows:
paths:
/ping:
get:
summary: Checks if the server is alive
parameters:
- in: header
name: X-Request-ID
schema:
type: string
format: uuid
required: true
My API consumes requests only with Header - Content-type:application/json object.
To do the same I use:
#OA\RequestBody(
description= "Provide company search parameter",
required= true,
#OA\JsonContent(
type="object",
#OA\Property(property="company_name", type="string")
)
)
But for some requests I don't need the RequestBody, only hit the resource and get data. How do I do it without RequestBody?
P.S. This request requires a GET method (POST can be used, if that helps) but GET doesn't accept a RequestBody.
This case cannot be described by OAS 3.0, and the restriction on GET requestBodies is to avoid attempting to describe API behaviour which the HTTP spec says is undefined. The restriction on specifying Content-Type as a 'manually' defined header is also to ensure there is no ambiguity as to which mechanism is supposed to set this header.
https://github.com/OAI/OpenAPI-Specification/issues/1628
When a client is sending the Content-Type header, it is used to describe the body of the request (not the response)
To influence the the response type a client can send an Accept header.
For example: Accept: application/json
I am using swagger-ui to create and test my apis calls but in case where I have a GET call with Authorization header it fails and returns ERROR. When I try to debug I found out that it sends this GET call as OPTIONS if Authorization header is present, else as a GET call.
The strange part is with Authorization header the POST call works fine.
/urlCode:
get:
description: Initiate something
parameters:
- name: Authorization
in: header
description: Authorization token
required: true
type: string
- name: var
in: query
description: variable
required: true
type: string
format: string
This is a CORS issue. To see what's allowed, web applications must first send an OPTIONS request prior to submitting the actual request (which is why you see OPTIONS and not GET). In order for it to work properly, you must enable CORS on the API itself. Further details can be found in swagger-ui's repository.