Getting Swagger UI oauth2 work with oidc-provider

Question

I am trying to get Swagger UI to successfully authorize to a oidc-provider instance.

I have set up a minimal (as possible) instance on glitch here: https://glitch.com/~copper-vise

What it does is:

• have swagger UI on /doc serving the definition from the swagger.yaml file
• run the oidc provider with minimal configuration and dev interactions.

The problem is that I don't seem to be able to get the two work together. It seems like it could be a Swagger UI bug, but considering my lack of experience with oidc it might simply be a configuration issue.

To try, click the "Authorize" button on the swagger interface, use foo and bar for the client_id and client_secret, check at least the openid scope and click "Authorize". At this point you should get a login prompt. Enter anything you like and login. At this point the swagger UI should be having a token, but I never got it that far.

What I'm getting instead is a invalid_client error, it seems like the oidc-provider expects an authorization request header that the Swagger UI is not providing. The "implicit" flow does not seem to work at all either. As far as I can tell, these are the two flows that the oidc-provider supports (with this configuration?).

I'm stuck, not sure where to go from here. It seems like the right combination of the openapi securitySchemes configuration in the swagger.yaml file and the oidc-provider and client options should get this running.

Answer 1

It seems swagger is sending client_secret_post client authentication, the default on the IdP is client_secret_basic. If you change the client configuration on the IdP to match the scheme the client is actually using it'll work.