-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add JWT authorization header in Swagger v3 #2915
Comments
+1 |
In my case, I've defined an API KEY Auth with an Authorization header. I've also created a basic JWT with no expiration time that will only work on development (the dev secret was used to sign it). If I click on the Authorize button and type "Bearer ", it works. But I'd like to simply have it pre-configured instead of having to type it everytime. Isn't it a simple javascript snippet that I can use to configure it? |
After quite some time spent trying to figure it out, I found a workaround to do what I wanted. Basically, right after the basic configuration (index.html), I added the following code:
This is how my security definition is:
|
@fernandocamargoti Is the code you pasted here in a public repo? It would be super helpful to take a look at the full working code since I couldn't get the latest version Swagger UI to send the Authorization header in the project I'm working on even with the code you pasted. |
@TuureKaunisto, It's not in public repo :( But was your issue with that code? Are you using the most recent Swagger UI 3? I basically cloned the master branch of this repository, copied what was inside the dist folder and added that line of code right after the normal configuration in the index.html. That line basically sets the Authorization (exactly what would happen if the user would click in Authorize and fill in the fields). |
Based on what worked in v2, I made a similar "hack" for v3: In startup.cs app.UseSwaggerUI(c =>
{
c.InjectOnCompleteJavaScript("../swagger-bearer-auth.js");
}); I placed the swagger-bearer-auth.js in wwwroot, with the following content: (function () {
$(function () {
$('#auth_container').append("<input type='text' id='input_apiKey' />");
$("#input_apiKey").change(addApiKeyAuthorization);
});
function addApiKeyAuthorization() {
var key = encodeURIComponent($('#input_apiKey')[0].value);
if (key && key.trim() != "") {
var apiKeyAuth = new SwaggerClient.ApiKeyAuthorization("Authorization", "Bearer " + key, "header");
window.swaggerUi.api.clientAuthorizations.add("bearer", apiKeyAuth);
}
}
})(); |
@fernandocamargoti thanks for your response. I did get it working now and the key gets set correctly. Thanks a lot for your help! My problem was that the authorization header doesn't get sent or shown on the curl command although it does get set correctly. I guess there's a problem with my spec. |
I found with the definition below, all I had to do was prefix my key with "Bearer " or "JWT ", etc. Defintion:
Header in the request: It is entirely possible that I am missing something, so please let me know if I am off my rocker. Otherwise, @webron, what is the intended fix here? |
@owenconti it's a bit complicated, we can sync up on that. |
@fernandocamargoti man you saved my life, I spent a whole day trying to find a way to do this. thanks for share. |
I'm trying to use @fernandocamargoti solution, but the header is still missing. I'm using swagger-ui-3.2.1. I've downloaded and extract the dist folder and edited the index.html
What is my problem? |
@larmic did you find a solution? I encounter the same prolem |
@Henk8 I'm using requestInterceptor:
|
FYI - I reverse engineered a way to pre-populate the initial value for the authorization on page load. This solves a use case for us where we are embedding swagger UI within an app that already has a JWT bearer token. Keep in mind this uses the internal redux store of SwaggerUI, so this is in lieu of an API provided by swaggerui itself. const authToken = 'foo'; // Your app gets this from some other context
ui.getStore().dispatch({
type: 'authorize',
payload: {
BearerAuth: {
name: 'BearerAuth',
schema: {
type: 'http',
scheme: 'bearer'
},
value: authToken
}
}
}) |
To have authorization header passed with every request you have to specify security scheme first and then you can use authorization button.
|
@larmic Where can I put the requestInterceptor, or the function renderSwaggerUi? |
I've updated to swagger3 and using an openapi3 configuration file. I'm able to use a security scheme as defined here: That produces an Authorize dialog with a username/password for the basic authentication and a "value" for entering a JWT token for the bearerAuth security scheme I can execute a post request (using curl) to get a jwt token then cut-in-paste that token into "value" form element when clicking on the "Authorize" button in the UI then when when trying out any of the API methods which have security set to "bearerAuth", everything works. However, instead of having to cut-in-paste the JWT token into the form element I'd like to have it render a username/password form just as it does when using "basic" authentication. It seems like several people have come up with solutions but are using things like Swing and Jersey. Has anyone created a configuration which allows one to enter user credentials to obtain the JWT token, then pass the token as an Authorization Bearer header? |
Thanks to everyone in this thread who provided input 😄 |
Could you please give us an example on how to use
But can't find how to do that with the new swagger-ui 3 :'( Even to get the swagger.json spec it requires the authentication (basic) of course, so, can't "play" with the We're using swagger 2 spec file Thanks a lot in advance! |
@rdehouss, assuming your API definition contains security definitions like these: securityDefinitions:
basicAuth:
type: basic
apiKey:
type: apiKey
in: header
name: X-API-KEY
security:
- basicAuth: []
- apiKey: [] you can use: const ui = SwaggerUIBundle({
url: "https://my.api.com/swagger.yaml",
...
onComplete: function() {
// Here, "basicAuth" and "apiKey" are the security scheme names/keys in the "securityDefinitions" collection
ui.preauthorizeBasic("basicAuth", "username", "password");
ui.preauthorizeApiKey("apiKey", "acbde12345");
}
}) To verify that
If your API definition file itself (.json / .yaml) is protected by auth, you'll need to use the |
ui.preauthorizeBasic("basicAuth", "username", "password"); I don't think that addresses the use case that I was asking about. It looks to me like this would |
Hi @fereira, The original ticket here was for programmatically setting authorization values - it sounds like you're describing a use case where you protect one authorization strategy behind another (JWT behind basic auth), and want to compress the user experience for that into one basic auth form that handles everything.
In any event, there's 18 people in this thread now - if you open a new ticket I'd be happy to outline how you could achieve that behavior through a custom plugin. |
Thanks for the response Kyle. I probably won't get a chance to create a new issue until next week but as a point of clarification, the use case I'm describing is protecting an authorization behind another authorization mechanism. It's more providing an authentication mechanism which generates a authorization token. In my view, entering a username/password (or hardcoding credentials using a preauthorize method) is "authentication" and passing the token is "authorization". |
Thx, #2793 (comment) worked fine! |
Great, thx for the info! |
Much thanks, saved my time |
So, while googling on how to give my JWT token to swagger UI - this issue if what I find most often, but here I see so much things to try, so I'm not sure where to start. Is there any documentation page that describes where to set JWT token? |
sure @bunyk, here are the docs for the methods you can use to set an ApiKey authorization value: https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/configuration.md#instance-methods @hkosova's comment above (#2915 (comment)) is the right way to do it. In Swagger/OpenAPI 2.0, you'll need to manually add If I have a JWT security definition called // Swagger/OpenAPI 2.0 does not add `Bearer` for you
ui.preauthorizeApiKey("MyJWTAuth", "Bearer <your token value here>");
// OpenAPI 3.0 does
ui.preauthorizeApiKey("MyJWTAuth", "<your token value here>"); If you haven't yet set up a security definition for the JWT in your document, here are the docs you should look at first: https://swagger.io/docs/specification/authentication/bearer-authentication/ |
Yes! With components:
securitySchemes:
keycloak:
type: http
scheme: bearer
bearerFormat: JWT
security:
- keycloak: [] in my openapi spec, and by passing onComplete: () => {
ui.preauthorizeApiKey("keycloak", token);
} to |
Being able to prepopulate the auth is great and works fine, but there's no way (that I can see) to get the auth that the user has manually put in (or to know that they have done so). I would like to let the user put in their api key, stash that locally (cookie/localstorage/whatever) for their future convenience (using the preauth to populate it on their return), and also trigger a reload of the spec (because it requires that same api key to access the full version) with the API key provided. Some of this is possible using |
I'm looking for a solution to add a JWT authorization header to each request like they did in this thread
Their solution for Swagger v2:
The text was updated successfully, but these errors were encountered: