I'm new to OpenApi and Swagger Ui,I tried Using this but this gives me a response as unable to login and the request Url is correct so I don't understand what i'm doing wrong and i tried using postman with the same url and in the header i'm passing Authorization:{"token":"TOKEN","refreshToken":"REFRESHTOKEN"} it works there:
parameters:
- in: header
name: Authorization
content:
application/json:
schema:
type: object
properties:
token:
type: token
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjYwNTFiNGE0MmJhZGI0MTlkZTA5MDRhZiIsImVtYWlsIjoic2hpdmFteWFkYXYucy5rLnlAZ21haWwuY29tIiwiZXhwaXJ5RGF0ZSI6IjIwMjEtMDktMjhUMDA6MDA6MDAuMDAwWiIsInByb3RvY29sIjpmYWxzZSwicGxhblR5cGUiOiJwYWlkIiwidHlwZSI6MSwiY3VycmVudFZlcnNpb24iOiIwLjIuOSIsImJldGFWZXJzaW9uIjoiMC4yLjkiLCJpYXQiOjE2MjU0ODE2MjQsImV4cCI6MTYyNTQ4MzQyNH0.p1KmZkxbieH6lWr6JURbHgHBpkJngJYzlrHOMEWAbXk"
refreshToken:
type: token
example: "5PrWmJyxheJ4hUY2bEHsZBtXRcJhY7v7I4jb9PmwxL9zaMgF8FalWatnl5YOT316y9IiQFzUsBDWyFay6tTR3vP6USaz0DqZ9l0obLGMCP8nmGhMvDQwTaZXGMXqisDy"
required: true
Header parameters named Accept, Content-Type and Authorization are not allowed. check this doc
Related
My spec is as below.
/path:
/user:
get:
parameters:
- name: Authorization
in: header
required: true
schema:
type: string
Problem is that it is giving me the below warning. I get the same warning if I add Content-Type or Accept header.
Header parameters named Authorization are ignored. Use securitySchemes and security to define the Authorization
I tried the below but I don't see Authorization header added in the request. I am using https://editor.swagger.io to create the spec.
/path:
/user:
get:
parameters:
- name: Authorization
in: header
required: true
schema:
type: string
security:
- my_auth: []
components:
securitySchemes:
my_auth:
type: http
scheme: bearer
bearerFormat: JWT
Any help is appreciated. Thanks !!
In the request parameters, there are operation's specific parameters.
The general purpose HTTP headers aren't defined here because:
Content-Type is defined by the request body content. If there are multiple content types, the consumer has to choose and set Content-Type accordingly.
Accept is similar; it only relates to the response message.
For security, we do not describe the Authorization header but instead define the security scheme (see docs for more).
You may use the description property to explain how to use these headers with your API. However, if your API follows standards, it should not be necessary.
Once you have added the security schema to your API definition, you can use the Authorization function of Swagger Editor. So, you will add your token and trigger "Try it out." Swagger will populate the Authorization header; see the attached screenshot.
This question already has an answer here:
Sending cookie session id with Swagger 3.0
(1 answer)
Closed 1 year ago.
I built an API that uses CSRF-Cookies for authentification. Now I want to document this API using OpenAPI/Swagger.
All routes are protected by a middleware that verifies the CSRF-Token, except for /sanctum/csrf-cookie , which is used to initially retrieve the Token.
Therefore, I need the Swagger-UI to include the cookie on each request. I followed the documentation, but it does not work.
Here's an excerpt from my Swagger-Definition:
security:
- cookieAuth: []
paths:
/sanctum/csrf-cookie:
get:
operationId: "getApiToken"
responses:
'204':
description: "successful token retrieval"
headers:
Set-Cookie:
schema:
type: string
/login:
post:
operationId: "loginUser"
requestBody:
content:
application/json:
schema:
type: "object"
properties:
username:
type: string
password:
type: string
components:
securitySchemes:
cookieAuth:
type: apiKey
in: cookie
name: XSRF-TOKEN
As seen in the screenshot of my browsers network monitor, the headers of login request do not contain the XSRF-Token.
In Contrast, this is the exact same request sent by my frontend:
It should be shown in the authorize (lock) icon on the top right corner of the rendered swagger document.
In contrast you can add it to each request by adding the
security:
- api_key: []
block to each route definition. In that case the lock icon on the left side of the request panel in swagger ui should show the information. If you need to see them as headers make sure to add it to the route using a parameters block.
I'm trying to set two different responses of 302 in out API since our API redirects to a different Endpoint depending on the request sent. I'm current using Open API ver 3.0.1. How do I do that?
I basically just want two different Location Headers for the 302
redirect describing how why the particular Location header is returned. Or have two same 302 response codes
I was following this older thread. But it doesn't correctly reference the two different Location headers in the actual API Endpoint, and instead just shows a blank Location header.
My Code snippet is:
responses:
'200':
description: 'Sample 200 Response'
'302':
description: 'Sample 302 Responses. See <302ExpiredRefreshTokenstring> & <302ExpiredUserRefreshTokenstring> schemas for reference'
headers:
Location:
schema:
oneOf:
- $ref: '#/components/schemas/302ExpiredRefreshToken'
- $ref: '#/components/schemas/302ExpiredUserRefreshToken'
And the schema is:
components:
schemas:
302ExpiredRefreshToken:
type: string
example: 'www.<UIEndpoint>/ref-login?SessionId=d3fe5c6959ae0ce502d6027a7693c3ebe4543f51a878d60004e1331723fc0187&redirect_uri=https://www.lazada.com.ph&state=sample_state_54321&refresh_token=sCY2O0kev5Ic516A1INnQwRc8D1hbuOJ&BillerCode=00494&UserId=JBC_28'
description: Redirect URI if Refresh Token (FinTech) has already expired.
302ExpiredUserRefreshToken:
type: string
example: 'www.<UIEndpoint>/cpw-login?SessionId=d3fe5c6959ae0ce502d6027a7693c3ebe4543f51a878d60004e1331723fc0187&redirect_uri=https://www.lazada.com.ph&state=sample_state_54321&refresh_token=sCY2O0kev5Ic516A1INnQwRc8D1hbuOJ&BillerCode=00494&UserId=JBC_28'
description: Redirect URI if User Refresh Token (DigiFi) has already expired. This could be triggered even if the Refresh Token (FinTech) has not expired yet.
Adding multiple examples doesn't work either as it doesn't show the multiple examples, instead it's just a blank
headers:
Location:
schema:
type: string
examples:
'test1':
value: 'value1'
'test2':
value: 'value2'
description: 'Description of Location Header'
But the Multiple examples for a header work when placed on the request paramters as I added examples in the request like this.
parameters:
name: Location
in: header
examples:
test1:
value: 'value2'
summary: 'summary 1'
test2:
value: 'value 1'
summary: 'summary 2'
There's no need for multiple schemas for the Location header because the data type is the same in both cases - type: string. Instead, add multiple examples of the header value:
responses:
...
'302':
description: Some token has expired... Clients should follow the `Location` header to refresh the token.
headers:
Location:
description: URI where the client can refresh the expired token.
schema:
type: string
format: uri # Optional - use if the Location header is an absolute URI, starting with http(s)://
examples:
302ExpiredRefreshToken:
description: Redirect URI if Refresh Token (FinTech) has already expired
value: 'www.<UIEndpoint>/ref-login?SessionId=d3fe5c6959ae0ce502d6027a7693c3ebe4543f51a878d60004e1331723fc0187&redirect_uri=https://www.lazada.com.ph&state=sample_state_54321&refresh_token=sCY2O0kev5Ic516A1INnQwRc8D1hbuOJ&BillerCode=00494&UserId=JBC_28'
302ExpiredUserRefreshToken:
description: >-
Redirect URI if User Refresh Token (DigiFi) has already expired.
This could be triggered even if the Refresh Token (FinTech) has not expired yet.
value: 'www.<UIEndpoint>/cpw-login?SessionId=d3fe5c6959ae0ce502d6027a7693c3ebe4543f51a878d60004e1331723fc0187&redirect_uri=https://www.lazada.com.ph&state=sample_state_54321&refresh_token=sCY2O0kev5Ic516A1INnQwRc8D1hbuOJ&BillerCode=00494&UserId=JBC_28'
But since you use Swagger UI, please note that it currently does not display examples in response headers. Follow this issue for updates: https://github.com/swagger-api/swagger-ui/issues/5432
I'm trying to generate client code with swagger-codegen from a Micronaut server. The problem arises with authenticated POST and PUT routes (it works fine for GET an DELETE).
When I have a method like this in a controller:
#Override
#Post("/")
public Single<? extends HttpResponse> updateStatus(Authentication authentication, GameReference gameReference) {
// ...
}
The resulting swagger for that method looks like this:
post:
tags:
- /presence
description: Updates status
operationId: updateStatus
parameters: []
requestBody:
content:
application/json:
schema:
type: object
properties:
authentication:
$ref: '#/components/schemas/Authentication'
gameReference:
$ref: '#/components/schemas/GameReference'
required: true
responses:
default:
description: HTTP 204 for successful updates.
content:
application/json: {}
So the Authentication Principal has been built into the request body and in generated client code the parameters to that method would be an object with both Authentication and GameReference.
What I have tried to work around this problem:
Add #Parameter(hidden = true) before Authentication parameter. Did not change anything.
Playing around with swagger annotations for authentication, like #SecuritySchema and #SecurityDefention. Authentication Principle still gets generated into the swagger yaml.
Is this a bug in Micronauts Swagger implementation or is there a way to work-around this? Note that this works well for GET and DELETE. There the Authentication Principle is ignored.
It was accepted as a bug by the Micronaut team:
https://github.com/micronaut-projects/micronaut-core/issues/1155
I am using swagger-ui to create and test my apis calls but in case where I have a GET call with Authorization header it fails and returns ERROR. When I try to debug I found out that it sends this GET call as OPTIONS if Authorization header is present, else as a GET call.
The strange part is with Authorization header the POST call works fine.
/urlCode:
get:
description: Initiate something
parameters:
- name: Authorization
in: header
description: Authorization token
required: true
type: string
- name: var
in: query
description: variable
required: true
type: string
format: string
This is a CORS issue. To see what's allowed, web applications must first send an OPTIONS request prior to submitting the actual request (which is why you see OPTIONS and not GET). In order for it to work properly, you must enable CORS on the API itself. Further details can be found in swagger-ui's repository.