swagger-ui
swagger-ui copied to clipboard
swagger-api
Hiding of password field with PKCE enabled, prevents usage of client_credentials, when API has multiple authentication methods.
Q&A (please complete the following information)
- OS: Windows
- Browser: Chrome
- Version: 99
- Method of installation: nuget
- Swagger-UI version: 4.5.0
- Swagger/OpenAPI version: OpenAPI 3.0.1
Content & configuration
After feature #7438 got merged in, then multiple security schemes with the following scenario:
- OAuth with autorization_code flow with PKCE
- OAuth with client_crendentials
Results in the password field is hidden for client_credentials.
Swagger-UI configuration options:
SwaggerUI({
"usePkceWithAuthorizationCodeGrant": true
})
Describe the bug you're encountering
(flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE || flow === AUTH_FLOW_PASSWORD) && !isPkceCodeGrant &&
should have been
(flow === AUTH_FLOW_APPLICATION || (flow === AUTH_FLOW_ACCESS_CODE && !isPkceCodeGrant) || flow === AUTH_FLOW_PASSWORD) &&
Originally posted by @chrklin in https://github.com/swagger-api/swagger-ui/issues/7438#issuecomment-1077566962
To reproduce...
Steps to reproduce the behavior:
- Enabled PKCE
- Add client credentials security scheme
- Add code flow security scheme
- Click Authorize
- See missing password field on client_credentials flow
Expected behavior
If we keep the functionality from #7438 then the flow with autorization code flow with pkce should have the password field hidden and the password field for the client_credentials shown
Screenshots
Additional context or thoughts
A different issue is that you might actually want to use password with PKCE, since they cover different security related things.
Issue https://github.com/swagger-api/swagger-ui/issues/7913 is clearly not a duplicate of this one, quite the opposite.
Issue #7913 is clearly not a duplicate of this one, quite the opposite.
@arturciesielskisteelseries both issues are about the client secret field is being hidden. So yes they are about the same thing.
This is duplicate of #7862, but definitely not duplicate of #7913. Client credential always needs password/secret field. PKCE does not always need password field. #7913 talks about providing option to show password/secret field for Authorization flow. Again that is not always needed. Current functionality of not showing password/secret for Authorization flow is appropriate for SSO scenario. So both issues should be looked at separately and not clubbed under #7913.
@chrklin yes, those both are about the secret input being hidden. But they address two completely different flows - this issue is client_credentials-specific, while #7913 talks about the inability to use secret with PKCE at all, even though it's recommended by any sane authority on OAuth2.
Yes they are similar, yes they could be fixed together, but it's better and healthier if we consider this case separately, since removing this option was clearly intentional.
The problem persists... please any insight about this? This problem prevents us to update to recent versions. We still can use the 6.2.3 version. When is expected to have a correction? Thanks!
I had the same issue with Swashbuckle.AspNetCore.x version 6.4.0. Updating to 6.5.0 seemed to bring the client-secret input back with PKCE enabled. However, now the client-secret input field is visible for both "clientCredentials" and "authorizationCode with PKCE".
