Does Swashbuckle have any documentation on how to pass the bearer token to API , I am not able to pass the bearer token after upgrading to latest swashbuckle ver 2.1
I've blogged about this before.
services.AddSwaggerGen(options =>
{
options.AddSecurityDefinition("oauth2", new ApiKeyScheme
{
Description = "Standard Authorization header using the Bearer scheme. Example: \"bearer {token}\"",
In = "header",
Name = "Authorization",
Type = "apiKey"
});
options.OperationFilter<SecurityRequirementsOperationFilter>();
You'll need a copy of SecurityRequirementsOperationFilter, which you can find by googling, or install from my Swashbuckle.AspNetCore.Filters package.
Related
I'm using centrifugo in conjunction with React + Laravel using the centrifugo/centrifugo docker image. It connects to centrifugo itself, but a problem appears, on the client side I use oauth2 bearer token instead of the usual jwt and pass it as described in the centrifugo documentation:
const centrifuge = new Centrifuge('ws://localhost:8001/connection/websocket', {
debug: true,
token: cookies.get(COOKIES.TOKEN) // here bearer oauth2 token
});
The connection itself takes place, but after the centrifuge it returns a disconnect with the signature that the token is incorrect:
{code: 3500, reason: 'invalid token'}
I have a question about how exactly to teach centrifuge to use bearer oauth2 token
I'm using springfox-swagger 3.0.0 to generate the Swagger UI (so I don't have much control over the Swagger UI code), and for my oauth2 authorization I've defined an application flow.
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_APPLICATION;
token_url: "/oauth2/token";
scopes: {
scope: {
key: "api"
value: "Grants access to api"
}
}
}
}
Now my problem is that the client ids my system uses, contains colon ":" characters, which are also use to separate client id from client secret in the authorization header. This messed up the logic at the token endpoint.
authorization: Basic YXBpOjk1NmZkYmEzLWE1ZmEtNDk0MS1iZDAzLWY3NGY0ZmNhYjM1ZjpzWFNXVlBpcklSN1dsUkRvOG9lNFM2VTR3OEI0VFg4VUUwNm9QR2FyWmVn
If I URL encode my client id value before passing it to the client_id field in the swagger console, everything works ok.
authorization: Basic YXBpJTNBOTU2ZmRiYTMtYTVmYS00OTQxLWJkMDMtZjc0ZjRmY2FiMzVmOnNYU1dWUGlySVI3V2xSRG84b2U0UzZVNHc4QjRUWDhVRTA2b1BHYXJaZWc=
Any idea how can I instruct swagger to URL encode the client id field value before packaging it in the header?
Thanks
You'll have to fork Swagger UI and implement the necessary change in your fork. Then, since you're using Springfox, you'll need to point it to your custom Swagger UI fork instead of the bundled version.
The code that constructs the Authorization header for OAuth requests lives here:
https://github.com/swagger-api/swagger-ui/blob/master/src/core/plugins/auth/actions.js
Tweak either the authorizePassword or authorizeApplication function (depending on your grant type) to percent-encode the clientId:
Authorization: "Basic " + btoa(encodeURIComponent(clientId) + ":" + clientSecret)
I have recently made the transition from Swashbuckle to Swagger-Net. One problem that I'm having after making the change is that now I'm unable to call my APIs which require a token sent in the Authorization header. Below are how I had the code in SwaggerConfig.cs before in Swashbuckle and now Swagger-Net
Swashbuckle
//section for .EnableSwagger
c.ApiKey("apiKey")
.Description("API Key Authentication")
.Name("Authorization")
.In("header");
//section for .EnableSwaggerUI
c.EnableApiKeySupport("Authorization", "header");
Swagger-Net
//section for .EnableSwagger
c.ApiKey("Authorization", "header", "API Key Authentication");
For Swagger-Net I can't find any equivalent of the .EnableAPIKeySupport in the .EnableSwaggerUI portion. After accessing the /Swagger UI rendering and using Authorize passing my token it is not sending that token to the API. I can tell it's not being sent as it is not in the sample CURL given.
Yes on Swagger-Net the ApiKey is all you need
c.ApiKey("apiKey", "header", "API Key Authentication", typeof(KeyAuthAttribute));
Here is a working example:
http://turoapi.azurewebsites.net/swagger/ui/index#/Echo/Echo_Post
The "protected" actions will show a lock icon on the right
And when you execute them you can see that the curl has the right stuff
And the code behind is here:
https://github.com/heldersepu/TuroApi/blob/master/TuroApi/App_Start/SwaggerConfig.cs#L67
I'm developping a Rest API, MyApi.
In there, I'm using Feign (and swagger codegen) to generate a client for another API, let's call it Ext-API.
The user will have called Ext-API previously and among other things will have retrieved a JWT Token.
He'll then call my API using Basic Auth and in the body it'll give me the JWT token.
I'm to use this JWT token as auth header to connect to Ext-API from my API and do some more stuff on behalf of the user.
However all example of Oauth & Feign example rely on the Oauth also being used to connect to the API using the generated client.
I can't find how I could, on every request, update the Oauth Token.
There are nothing exposed by feign to do this.
Atm I'm using regular Rest template.
You can used #RequestHeader in feign Client, see below
#FeignClient(name = "<name>", configuration = <configclass>)
public interface Client {
public final String AUTH_TOKEN = "Authorization";
#RequestMapping(method = RequestMethod.GET, value = "users", produces = "application/json")
public HttpEntity<List<User>> getUsers(#RequestHeader(AUTH_TOKEN) String oruToken,
#RequestParam("<param>") Integer value);
}
and from you program you can pass token to feign client
I am using OAuth 2.0 for authorization according to this documentation :(https://developers.vendhq.com/documentation/oauth.html#oauth) and having this error:
"error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter."
Request
Method : POST
Content-Type: application/x-www-form-urlencoded
URL : https://{domain_prefix}.vendhq.com/api/1.0/token
Parameters :
code = {code}
client_id = {app_id}
client_secret = {app_secret}
grant_type = authorization_code
redirect_uri = {redirect_uri}
As per the RFC6749, section 4.1.3, the encoded body of a POST request should look like code={code}&client_id={app_id}&client_secret={app_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}.
Example:
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&client_id=CLIENT_ID_1234&client_secret=CLIENT_SECRET
Do not forget to encode the redirect Uri: http://foo.bar/ => http%3A%2F%2Ffoo.bar%2F
Concerning the authentication error, it may be because the authorization server do not support client secret in post request (or your client is not allowed to use it).
Then try to add the Authorization header with basic authentication scheme.
The value of this header is Basic {ENCODED_AUTHENTICATION} with {ENCODED_AUTHENTICATION} =base64(client_id + ':' + client_secret)
With this header, the client_id and client_secret in the post request have to be removed. Your request parameters become code={code}&grant_type=authorization_code&redirect_uri={redirect_uri}.
You will need to check the URL to which you are attempting to send your POST to. The service that you are attempting to contact does not exist or is currently unavailable.