CODEWITHSUNDEEP
swaggerauth0swashbuckle
wwarby
wwarby

Reputation: 2051

Swashbuckle Swagger UI not sending client_secret and client_id to OAuth endpoint when using authentication form

I have a .NET 5 API project documented with SwaggerGen for which I'm trying to use Swashbuckle as the documentation UI. My auth provider is Auth0, so I'm looking to have the docs generate a JWT bearer token by making a valid OAuth2 call to the Auth0 /oauth/token endpoint. The Authorize button is appearing on the generated page and produces a form that asks the user for the client_id and client_secret, but when I press the Authorize button it issues a POST request that is missing client_id and client_secret. Specifically, it goes to the correct endpoint (/oauth/token) but has no query string parameters and only grant_type: client_credentials in the POST body. I can see this in the Chrome developer tools. Somehow the UI is just completely disregarding the values I've typed into the client_id and client_secret form fields.

Is there a trick to making the auth request use the values from the form? Here is the relevant part of my SwaggerGen configuration:

options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme {
    Type = SecuritySchemeType.OAuth2,
    Name = "Bearer",
    Description = "Authorization using the OAuth2 access token authorization flow",
    Scheme = "Bearer",
    In = ParameterLocation.Header,
    Flows = new OpenApiOAuthFlows {
        ClientCredentials = new OpenApiOAuthFlow {
            TokenUrl = new Uri($"https://{_configuration["Auth0:HostedDomain"]}/oauth/token"),
            AuthorizationUrl = new Uri($"https://{_configuration["Auth0:HostedDomain"]}/authorize")
        }
    }
});

options.AddSecurityRequirement(new OpenApiSecurityRequirement {
    {
        new OpenApiSecurityScheme {
            Reference = new OpenApiReference {
                Type = ReferenceType.SecurityScheme,
                Id = "OAuth2"
            }
        },
        new List<string>()
    }
});

Upvotes: 2

Views: 4008

Answers (1)

ondrejsv
ondrejsv

Reputation: 505

Are you sure the Swagger UI does not send them, i.e. in the authorization header?

I had a similar problem because our OpenID server recognizes only client credentials (client_id, client_secret) sent in the body form and we have to select the correct "Client credentials location" option in the authorization dialog (Request body):

enter image description here

Then the client_id is sent in the request body correctly:

enter image description here

Upvotes: 1

Related Questions