swagger-ui
swagger-ui copied to clipboard
swagger-api
Automatic token refresh for REST API with OpenID Connect authentication?
Q&A (please complete the following information)
- OS: Linux Mint 20.1
- Browser: Chromium
- Version: 90.0.4430.93
- Method of installation: by Springdoc 1.5.8
- Swagger-UI version: 3.47.1
- Swagger/OpenAPI versionOpenAPI 3.0
Content & configuration
I am developing an application having a REST API that is secured by Spring Security, using Keycloak to provide OpenID Connect functionalities. The OpenAPI specification is generated using Springdoc. AFAIK, the correct way of getting SwaggerUI to authenticate against OpenID Connect is to use OpenID Connect Discovery.
Swagger/OpenAPI definition:
openapi: 3.0.1
info:
title: NEW API
description: This document specifies the API of NEW
version: v0.1-SNAPSHOT
servers:
- url: 'http://localhost:8080'
description: Generated server url
security:
- oidc: []
paths:
/p/list:
get:
tags:
- plugin-controller
operationId: getAllOperations
responses:
'200':
description: OK
content:
'*/*':
schema:
type: array
items:
type: string
'400':
description: Bad Request
content:
'*/*':
schema:
$ref: '#/components/schemas/JSONResponse'
'401':
description: Unauthorized
content:
'*/*':
schema:
$ref: '#/components/schemas/JSONResponse'
'403':
description: Forbidden
content:
'*/*':
schema:
$ref: '#/components/schemas/JSONResponse'
'500':
description: Internal Server Error
content:
'*/*':
schema:
$ref: '#/components/schemas/JSONResponse'
components:
schemas:
JSONResponse:
type: object
properties:
errorData:
type: string
description: the raw error data
token:
type: string
securitySchemes:
oidc:
type: openIdConnect
openIdConnectUrl: 'http://localhost:8888/auth/realms/new/.well-known/openid-configuration'
How can we help?
Authorization works well in principal, but the application needs to do a token refresh automatically and regularly. Currently, I can send valid request to the API until the validity of the token acquired during login has expired. In the SwaggerUI documentation, I did not find how to configure such a thing like token refresh. Is SwaggerUI able to perform an automatic token refresh or is there eventually a possibility that the user can trigger it manually?
Same problem here using Swagger UI with FastAPI. I can specify a refresh_url in the oauth2_schema, but this doesn't work as expected:
oauth2_scheme = OAuth2AuthorizationCodeBearer(
authorizationUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["authorization_url"], # The endpoint to get the authorization token
tokenUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["token_url"], # The endpoint to get the actual access token
refreshUrl=ConfigHandler.get_config()["oauth2"]["authorization_server"]["token_url"]
)
We tried specifying refreshUrl, too, but weren't able to get it to work.
afaik, Swagger UI does not currently have token refresh. Happy to accept contributions, especially in this subject of authorization/authentication. 😉
Thinking about this more, one might be able to use requestIntercepters to define custom handling to an auth request.
function authorize() { if ($('.btn.authorize').length < 1) return; if (!web.getCookie('accessToken')) return; let a = { CoreAPI: { name: 'CoreAPI', schema: swg_ui.authSelectors.definitionsToAuthorize().get(0).get('CoreAPI'), value: 'Bearer ' + web.getCookie('accessToken') } } swg_ui.authActions.authorize(a) }
I am also looking for this feature in swagger, is there any progress?
