SwashBuckle.AspNetCore 4.1 w/ OAuth application flow?

Question

I'm trying to use SwashBuckle.AspNetCore 4.1 w/ OAuth application flow. Based on Google searches, my setup looks like this:

            options.AddSecurityDefinition("oauth2", new OAuth2Scheme
            {
                Type = "oauth2",
                Flow = "application",
                TokenUrl = "/token",
            });

This gives me the Authorize dialog with textboxes for client_id and client_secret, but when I look at the request in fiddler, I see:

{"client_id":["The client_id field is required."],"client_secret":["The client_secret field is required."]}

With "password" flow, it shows both username/password and client_id, client_secret text boxes and passes in the populated pair, but it always passes in password grant which isn't right for client_id/secret.

Answer 1

If you check Fiddler you will see that the client_id and client_secret are in the request header under Authorisation. This will be the string Basic followed by your username and password base 64 string encoded.

Something like

Authorization: Basic MTIzOmFiYw==

Your Token method needs to do something like

string authHeader = Request.Headers["Authorization"];
if (authHeader != null && authHeader.StartsWith("Basic"))
{
    string encodedUsernamePassword = authHeader.Substring("Basic ".Length).Trim();
    Encoding encoding = Encoding.GetEncoding("iso-8859-1");
    string usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword));

     int seperatorIndex = usernamePassword.IndexOf(':');

     var clientId = usernamePassword.Substring(0, seperatorIndex);
     var clientSecret = usernamePassword.Substring(seperatorIndex + 1);
}