swagger-ui Feature request: add `additionalFormParams` to `authConfigs`

In oauth2-authorize.js the additionalQueryStringParams property is used from the authConfigs object in order to add custom query string parameters to an authentication request.

Could we get a similar additionalFormParams property added that could then be passed to the authActions via method params or a property? That would allow actions.js to add custom form properties as it's building the form data string.

Reason: We're trying to use Swagger-UI (via Swashbuckle.AspNetCore) to authenticate with Auth0. It has the right mix of params for the implicit grant type, but we're finding that client_credentials and password out-of-the-box body params passed aren't meeting Auth0's requirements. For example: when trying to use client_credentials, Auth0 requires audience in the body, but swagger-ui only passes grant_type and scope. Adding audience to the query string params doesn't cut it. This is where people are talking about getting the "Non-global clients are not allowed access to APIv1" error from Auth0.

If we had a similar way to add custom form/body params like we do query string params, it would make life easier.

Cross-post side note: ideally the Swashbuckle.AspNetCore library could then add another extension method similar to OAuthAdditionalQueryStringParams that would feed those values through in a similar way.

Auth0 Reference:

Jun 12 '19 18:06 Kizmar

Here @karlssonsimon managed to supply audience in a query param, and apparently it worked. Sadly, it doesn't work for us - neither for our in-house auth endpoint, nor for an Auth0 endpoint we use. (Which is puzzling, since @karlssonsimon was also using Auth0.)

Even if the query-param trick worked, it would be fragile. The above is a great suggestion.

Jun 13 '19 09:06 sferencik

@sferencik If you review actions.js, you can see what it sends based on the grant type.

If you are using the implicit grant type with Auth0; it's safe to add audience to the query string. In that case swagger-ui uses the ".../authorize" endpoint (which is the method used in the issue you linked). If you are using client_credentials or password, swagger-ui uses the ".../token" endpoint, which Auth0 requires params in the body.

Jun 13 '19 14:06 Kizmar

Ah, that explains it. We're using client_credentials indeed.

Jun 13 '19 20:06 sferencik

I'm having the exact same problem using ASP>NET Core with the client_credentials flow. There is no way to pass the audience value as part of the request.

Nov 17 '19 05:11 ghost

Hi @Kevweir, do you have (public) code/swagger config I could use for testing? We looked at it today with @sferencik and I think I have a plan.

Also big kudos to @Kizmar for describing the issue!

Nov 20 '19 18:11 wdolek

:+1:

Looks promising. (I only checked the commits briefly from my phone.) Thanks for picking this up!

Nov 20 '19 20:11 sferencik

I don't suppose this will display the audience in the UI form, will it?

Nov 20 '19 21:11 sferencik

@sferencik I don't think so, but stay tuned, I'm not done yet :) (suggestions/help is welcomed)

Nov 20 '19 21:11 wdolek

It's been a while since I've dug into this, but in our case we use appsettings.json to hold Swagger (Swashbuckle) configurations applied in Startup.cs for deployment in different environments. I realize what I'm about to show is technically a different package (as mentioned in my OP), but it may help:

It would be nice if we could set the audience like this.

app.UseSwaggerUI(c =>
{
    c.OAuthClientId(options.ClientId);
    c.OAuthClientSecret(options.ClientSecret);
    c.OAuthAppName(options.AppName);
    c.OAuthAudience(options.Audience); // <-- Something like this or the line below
    c.OAuthAdditionalFormParams(new Dictionary<string, string> { { "audience", options.Audience } });
    ...

Nov 20 '19 22:11 Kizmar

@Kizmar, I'm aiming to latter one using additional params, similarly to additional query params - I would be worried adding new specialized method to library based on auth service (seems that Auth0 is doing something not-really-standard-ish). It is good compromise I think.

I will test my change and prepare PR if everything goes well. However I'm not JS/React/Redux developer, so there may be more things I'm not even seeing right now. 🤞

Nov 20 '19 22:11 wdolek

I faced the same issue with Auth0. As @Kizmar mentioned cant pass audience from swagger with client_credentials grant type. @wdolek I would like to help on this issue.

Nov 27 '19 17:11 cpandya231

@cpandya231 I have already created PR (#5724), but I tested my change against single scenario we do use. Also since I'm not React/Redux developer, my change may not be ideal. I'll be happy for another pair of eyes!

Nov 27 '19 18:11 wdolek

...Also since I'm not React/Redux developer, my change may not be ideal. I'll be happy for another pair of eyes!

Out of curiosity; where did React come up in all this? I am a React developer (supposedly), but my use of Swagger/Swashbuckle doesn't cross over into React-land. We use Swashbuckle with our .NET Core API's for testing purposes.

Nov 27 '19 19:11 Kizmar

@wdolek @Kizmar I think the issue is with all the platforms, weather it is React, .NET or Java. So the feature needs to be released for all the platforms.

Nov 28 '19 03:11 cpandya231

@Kizmar @cpandya231 I understand - we use Swagger via Swashbuckle too, but first I need to enable Swagger UI to allow such configuration - and that is React + Redux. Step two is to update Swashbuckle to support new configuration as well.

My main struggle was to find place where actions are invoked and how configuration is read and propagated to correct place (didn't really find how Redux state is connected). Second thing I wasn't sure about is why additionalQueryStringParams is taken from authSelectors.getConfigs() - same approach didn't work with newly introduced property and I had to grab it from schema (selectors contain initial object state rather than configurations supplied by user).

As I said, I managed to make it work as I needed, question is whether my change is proper one or whether I missed something. Please do review. 🙇

Getting additional query string params which I tried to mimic:

/src/core/oauth2-authorize.js:81 (this does not happen for my flow)
/src/core/plugins/auth/actions.js:154

Nov 28 '19 10:11 wdolek

Any updates on this issue? I am using Swagger-net (.NET package that provides Swagger-UI using Open Api 2.0 specification for .NET Full Framework 4.8) and I am still getting this issue where the audience parameter is missing in the request body for the token endpoint in order for auth0 to allow clientCredentials grant.

May 20 '20 09:05 LandryDubus

@Asshiah Hello, looks like there's not enough interest in this feature. My PR #5724 got pretty much obsolete - after rebasing, it doesn't work any more and I won't have time to investigate what has changed, perhaps (hopefully) there's better way how to do it with current version. Feel free to look at it :) (or anyone else).

Jan 01 '21 19:01 wdolek

Could we please do something about that? :D Would be great to be able to use password flow and add the audience in the request body parameter. My setup:

Kotlin / SpringBoot Auth0

So actually I should ask in the spring community, but I got redirected here. Any help? Thanks in advance!

Feb 04 '21 22:02 vonWojtas

It would be useful to add a way to be able to use Auth0's non-standard way.

In case it helps anyone we're currently getting around it using the requestInterceptor, here's an example:

import SwaggerUI from 'swagger-ui'

const audience = 'me'

const ui = SwaggerUI({
  url: 'https://example.com/api.yaml',
  dom_id: '#swaggerUI',
  requestInterceptor: (request) => {
    if (request.url.includes('oauth/token')) {
      return {
        ...request,
        body: `${request.body}${audience}`
      }
    } else {
      return request
    }
  }
})