springdoc-openapi-ui OAuth 2.0 Authorization Code flow with PKCE

Question

I am using the swagger with springdoc-openapi-ui-1.4.3

@SecurityRequirement(name = "security_auth")
public class ProductController {}

Setting the security schema

@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
        flows = @OAuthFlows(authorizationCode = @OAuthFlow(
                authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
                , tokenUrl = "${springdoc.oAuthFlow.tokenUrl}",scopes = {
                @OAuthScope(name = "IdentityPortal.API", description = "IdentityPortal.API")})))
public class OpenApiConfig {}

Security config

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {// @formatter:off
        http
                .authorizeRequests()
                .antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html")
                .permitAll()
                .antMatchers(HttpMethod.GET, "/user/info", "/api/foos/**")
                .hasAuthority("SCOPE_read")
                .antMatchers(HttpMethod.POST, "/api/foos")
                .hasAuthority("SCOPE_write")
                .anyRequest()
                .authenticated()
                .and()
                .oauth2ResourceServer()
                .jwt();
    }
}

With dependencies

implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springdoc:springdoc-openapi-ui:1.4.3'
implementation 'org.springdoc:springdoc-openapi-security:1.4.3'
implementation "org.springframework.boot:spring-boot-starter-security"

Config setting

spring:
  profiles:
    active: dev

####### resource server configuration properties
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://localhost:5001
          jwk-set-uri: https://localhost:5001/connect/token
springdoc:
  swagger-ui:
    oauth:
      clientId: Local
      usepkcewithauthorizationcodegrant: true
  oAuthFlow:
    authorizationUrl: https://localhost:5001
    tokenUrl: https://localhost:5001/connect/token

In the swagger UI, the clientId is empty and client secret is present, for authorization code + PKCE flow client secret should not present

Answer 1

it is some time since you asked the question but I will respond for others information. The major issue is the misleading implementation of the UI. You are forced to use the authorization code flow in the configuration because the authorization code with PKCE is missing. So you must use the authorization code (because you need to provide authorization and token url) and place a dummy secret into the yaml. Example below.

@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
        flows = @OAuthFlows(authorizationCode = @OAuthFlow(
                authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
                , tokenUrl = "${springdoc.oAuthFlow.tokenUrl}")))
public class OpenApiConfig {}

If you want to use PKCE instead of the pure implicit set proper attribute (as @brianbro pointed) and a dummy secret as:

springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true
springdoc.swagger-ui.oauth.clent-secret=justFillerBecausePKCEisUsed

As last not least if you want to prefill the client_id use configuration:

springdoc.swagger-ui.oauth.client-id=YourClientId

Answer 2

Your property syntax

usepkcewithauthorizationcodegrant

is not correct:

Here is the right property for PKCE:

springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true

To fill, the client id, just use:

springdoc.swagger-ui.oauth.client-id=yourSPAClientId

For your remark of the existing secret filed that can be hidden. This looks like an enhancement on the swagger-ui.

You should submit an enhancement on the swagger-ui project:

• https://github.com/swagger-api/swagger-ui/