quarkus
quarkus copied to clipboard
quarkusio
OIDC configurations should configure Swagger UI
Description
continuation of #26614
when you configure oidc with configs such as the auth url with quarkus.oidc.auth-server-url=https://... the Dev Ui Swagger UI does not receive the proper configurations:
Example that in order for Swagger UI (Dev UI) to pickup the OIDC well known they have to provide the property quarkus.smallrye-openapi.oidc-open-id-connect-url, even though this url is already determined by quarkus.oidc.auth-server-url. Further more if quarkus.oidc.auth-server-url is provided then oidc should be made one of the auth types for Swagger UI: Currently you have to provide quarkus.smallrye-openapi.security-scheme=oidc or else swagger does not detect any of the configs.
Currently you have to also set:
quarkus.smallrye-openapi.oidc-open-id-connect-url=https://..../.well-known/openid-configuration
quarkus.smallrye-openapi.security-scheme=oidc
quarkus.swagger-ui.oauth-client-id=MY_CLIENT_ID
quarkus.swagger-ui.oauth-scopes=openid profile email
If you do not set the above, then the Swagger UI does not read from the well-known and the Auth modal does not work.
Implementation ideas
When you configure OIDC under quarkus.oidc it should also config the other missing props so swagger Ui functions with OIDC auth
See https://github.com/quarkusio/quarkus/issues/26614 for full working example
![quarkus-bot[bot] avatar](https://avatars.githubusercontent.com/in/90234?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @phillip-kruger Can you please investigate when you get a chance ? Reading the metadata can be copied from OIDC Dev services code. Or we can consider some other options
Moving some content from #26614 :
There are also some cleanups possible for the Dev UI Swagger UI:
Example that in order for Swagger UI (Dev UI) to pickup the OIDC well known they have to provide the property quarkus.smallrye-openapi.oidc-open-id-connect-url, even though this url is already determined by quarkus.oidc.auth-server-url. Further more if quarkus.oidc.auth-server-url is provided then oidc should be made one of the auth types for Swagger UI: Currently you have to provide quarkus.smallrye-openapi.security-scheme=oidc or else swagger does not detect any of the configs
# For Swagger UI in Dev UI:
# This needs to be set for Swagger UI in Dev Ui to pick up the endpoint. Needs to be full path to well-known
quarkus.smallrye-openapi.oidc-open-id-connect-url=https://login.microsoftonline.com/MY_TENANT_ID/v2.0/.well-known/openid-configuration
#quarkus.smallrye-openapi.oidc-open-id-connect-url=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
# Needed to define what auth to use or else Swagger UI does not work:
quarkus.smallrye-openapi.security-scheme=oidc
# Pre-populates Client ID in Swagger UI Auth:
quarkus.swagger-ui.oauth-client-id=MY_CLIENT_ID
# Pre-populates the scopes in Swagger UI Auth (Note the 4th "dummy scope" is required but will not show in the UI)
# Note the "dummy scope" that must be created (AzureAd>Your App>Expose an API>Add Scope) that will force the JWT to be issued instead of an opaque token
# When you create a scope for the first time it will have you create an Application ID URI. You can copy the entire scope name from AzureAd>Your App>Expose an API>Under the "Scopes" section
# In order to receive the email claim you need to enable the Optional Claim "email" at: AzureAd>Your App>Token Configuration>Add optional claim>TokenType:Access>email
# If you omit email, the preferred_username is still provided, but it is not guaranteed to be an email: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
quarkus.swagger-ui.oauth-scopes=openid profile email api://Application_ID_URI/my.dummy.scope
@StephenOTT, looks like there is some duplication in the content I moved here from #26614, it duplicates the description, please remove here what is already listed in the description, or may be better, collapse it all in the description and delete this comment :-)
@sberyozkin I updated the first comment. I think 99% of the comments in the snippet are more relevant for when using the Microsoft provider. For example the commentary on the dummy scope is purely related to the microsoft OIDC to force a JWT instead of receiving an opaque token.
I may have a related issue. It seems like quarkus.smallrye-openapi.oidc-open-id-connect-url is fixed during the build time, but quarkus.oidc.auth-server-url is not. This is causing some headache when I'm changing oidc url trough environment variable. It will be great to have them both consistent and configurable during runtime. I could have same property expression for both values and change it trough env. variable.
Did run in the same problem like @pehunka. Are there any news / workarounds for the problem "quarkus.smallrye-openapi.oidc-open-id-connect-url is fixed during the build time"?
I can corroborate that, unlike quarkus.oidc.auth-server-url, quarkus.smallrye-openapi.oidc-open-id-connect-url value is fixed at build time.
The workaround is to provide it at build time via its respective environment variable:
QUARKUS_SMALLRYE_OPENAPI_OIDC_OPEN_ID_CONNECT_URL=...
Can any of those with this issue confirm whether or not your application uses @RolesAllowed or @Authenticated annotations on your REST endpoint methods? I believe this issue should be fixed by #38231 , but only if you are not using those annotations currently.
cc: @StephenOTT , @pehunka , @femangl , @codespearhead
@MikeEdgar I Confirm that YES i am using RolesAllowed annotation.
Still seeing this issue as of 3.2.11
@MikeEdgar I Confirm that YES i am using RolesAllowed annotation.
Still seeing this issue as of 3.2.11
https://github.com/quarkusio/quarkus/pull/38231 wasn't backported to 3.2.11, so that's alright. Can you please check with newest version?
Hello all. I am struggling with this. If QUARKUS_SMALLRYE_OPENAPI_OIDC_OPEN_ID_CONNECT_URL is fixed at build time, which strategy can I adopt to have different values among environments without building specific versions for each environment?
@marcelinobadin , although quarkus.smallrye-openapi.oidc-open-id-connect-url is currently fixed at build time, quarkus.oidc.auth-server-url is not. If you do not need to differentiate, you can ignore quarkus.smallrye-openapi.oidc-open-id-connect-url and just use quarkus.oidc.auth-server-url instead. Let us know if that's not working.
@MikeEdgar thank you. That worked. I was using the quarkus.smallrye-openapi.security-scheme=oidc and then I also removed it and it worked. Thank you very much.