huma icon indicating copy to clipboard operation
huma copied to clipboard
verified publisher icon danielgtaylor

Add clientId for OAuth 2.0 in code and redeem OAuth 2.0 bearer token through Swagger UI or Stoplight UI

Open m-mattia-m opened this issue 1 year ago • 2 comments

Is there a possibility to define the client_id directly in the code, so I don't have to add it manually in the Swagger UI?

And I'm not sure about this, but I thought it would be nice if I could redeem a bearer token from my external OAuth2.0 provider (Zitadel) directly in the Swagger UI (or better, Stoplight). So I want to have an authorize button, that I can press, and I'll be redirected to my OAuth2.0 login page, and then be redirected back to my Swagger UI (or Stoplight), which stores the token for the requests. (I'm not sure if this also works with the PKCE workflow, but I know it works in Spring Boot with the password flow.) Is this possible yet and do you have an example for this?

(The OpenAPI documentation works, but how do I redeem a token?)

humaConfig.Components.SecuritySchemes = map[string]*huma.SecurityScheme{
	"MyApp": {
		Type: "oauth2",
		Flows: &huma.OAuthFlows{
			AuthorizationCode: &huma.OAuthFlow{
				AuthorizationURL: "https://zitadel.domain.com/oauth/v2/authorize",
				TokenURL:         "https://zitadel.domain.com/oauth/v2/token",
				RefreshURL:       "https://zitadel.domain.com/oauth/v2/token",
				Scopes: map[string]string{
					"openid":         "",
					"profile":        "",
					"email":          "",
					"offline_access": "",
				},
			},
		},
	},
}

router := gin.Default()
api := humagin.New(router, humaConfig)

m-mattia-m avatar Jul 12 '24 16:07 m-mattia-m

@m-mattia-m your OpenAPI setup looks reasonable. You may want to ask in e.g. https://github.com/stoplightio/elements how to properly set it up to get the authorize/login button and then have it use the response. Many times (depending on provider) you will also need to allow access to your callback URLs.

danielgtaylor avatar Jul 26 '24 21:07 danielgtaylor

@danielgtaylor Thank you for your answer. I have seen that Stoplights is planning to integrate full OAuth 2.0 and OIDC support. However, it's still on their roadmap as a feature request (it's been there for 3 years now, so I don't know if they'll implement it in the near future).

Implemented feature request (#316) about authentication with a note for OAuth 2.0 and OIDC Open feature request for OIDC (#421) Open feature request for OAuth 2.0 token generation #422

I'm going to try it with SwaggerUI.

m-mattia-m avatar Jul 30 '24 19:07 m-mattia-m