swaggerwcf icon indicating copy to clipboard operation
swaggerwcf copied to clipboard

Published 20 hours ago verified publisher icon abelsilva

SecurityAuthorization using oauth2

Open wnilsson opened this issue 6 years ago • 5 comments

Hi,

I'm using the SecurityAuthorization class and now have an access_token being successfully returned from my oidc provider but I have a couple of questions:

  • How do I pass this token as a header for any API call? Is it by using the SwaggerWcfSecurity attribute? If so, do you have an example?

  • Is there a way to default the client authentication type = basic and the clientId/secret on the Available authorizations form?

Cheers

wnilsson avatar Sep 05 '18 05:09 wnilsson

  1. add SwaggerWcfSecurity attribute on OperationContract methods
  2. call SwaggerWcfEndpoint.Configure(info, securityDefinitions) before serviceHost.Open()

about the Security Scheme Object

justin0522 avatar Sep 06 '18 14:09 justin0522

Hi, its not working for me.

If I click on the Authorize button I can see an "access_token" returned via Fiddler which is great but the operations do not send this when I make a call via the "Try it out!" button. I'm expecting the token to be sent as a header called "Authorization" as per the oauth2 spec but there are no auth headers being sent.

I have added SwaggerWcfSecurity to the operation contract like this (we don't use scopes):

[SwaggerWcfSecurity("api-gateway")] [OperationContract] [WebGet(BodyStyle = WebMessageBodyStyle.Bare, RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)] [FaultContract(typeof(ServiceFault))] AdviserSearchFilterData GetFilterData();

and I have this code in my Global.asax in the Application_Start method:

// Add security info for OAuth2 var security = new SecurityDefinitions { { "api-gateway", new SecurityAuthorization { Type = "oauth2", Description = "Forces authentication with credentials via an api gateway", Flow = "password", TokenUrl = "http://ar1744.internal.rubik.com.au:8080/auth/realms/master/protocol/openid-connect/token", } } }; SwaggerWcfEndpoint.Configure(info, security);

When I look at the rendered swagger html page, I can see a small red circle with an exclamation mark against the operation and if I click on it, it brings up the same popup as the main Authroize button but the token is still not passed if I then click "Try it out!".

Note that we use serviceHostingEnvironment serviceActivations via config and a ServiceHostFactory so there is no manual call to serviceHost.Open() but the Global.asax code definitely gets called first.

wnilsson avatar Sep 07 '18 00:09 wnilsson

can you tell me the binding type and security mode of your endpoint ?

WebHttpBinding webHttpBinding = new WebHttpBinding(); webHttpBinding.Security.Mode = WebHttpSecurityMode.Transport; webHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic;

justin0522 avatar Sep 07 '18 03:09 justin0522

Yes its a webHttpBinding with Transport mode. We don't set the client credential type...

wnilsson avatar Sep 07 '18 04:09 wnilsson

We are able to get this working - the main issue was that the schemes property was missing in the web.config i.e. < setting name="Schemes" value="https;http" />

Also, even though we don't use scopes, we had to pass in null to the SwaggerWcfSecurityAttribute i.e. [SwaggerWcfSecurity("api-gateway", null)]

This issue can now be closed but perhaps the documentation could have these added for others?

Cheers

wnilsson avatar Nov 21 '18 00:11 wnilsson