7b0ac1ae28
* fix: show client secret input for PKCE auth code flow PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of #6290 and #8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert #7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/ * docs: explain why client secret input is shown despite PKCE
2.4 KiB
2.4 KiB
OAuth 2.0 configuration
You can configure OAuth 2.0 authorization by calling the
initOAuth method.
| Property name | Docker variable | Description |
|---|---|---|
| clientId | OAUTH_CLIENT_ID |
Default clientId. MUST be a string |
| clientSecret | OAUTH_CLIENT_SECRET |
🚨 Never use this parameter in your production environment.
It exposes crucial security information. This feature is intended for
dev/test environments only. 🚨 Default clientSecret. MUST be a string |
| realm | OAUTH_REALM |
realm query parameter (for oauth1) added to
authorizationUrl and tokenUrl. MUST be a
string |
| appName | OAUTH_APP_NAME |
application name, displayed in authorization popup. MUST be a string |
| scopeSeparator | OAUTH_SCOPE_SEPARATOR |
scope separator for passing scopes, encoded before calling, default
value is a space (encoded value %20). MUST be a string |
| scopes | OAUTH_SCOPES |
string array or scope separator (i.e. space) separated string of initially selected oauth scopes, default is empty array |
| additionalQueryStringParams | OAUTH_ADDITIONAL_PARAMS |
Additional query parameters added to authorizationUrl
and tokenUrl. MUST be an object |
| useBasicAuthenticationWithAccessCodeGrant | OAUTH_USE_BASIC_AUTH |
Only activated for the accessCode flow. During the
authorization_code request to the tokenUrl,
pass the Client
Password using the HTTP Basic Authentication scheme
(Authorization header with
Basic base64encode(client_id + client_secret)). The default
is false |
| usePkceWithAuthorizationCodeGrant | OAUTH_USE_PKCE |
Only applies to Authorization Code flows. Proof Key for Code
Exchange brings enhanced security for OAuth public clients. The
default is false Note: This option does not hide the client secret input because neither PKCE nor client secrets are replacements for each other. |
const ui = SwaggerUI({...})
// Method can be called in any place after calling constructor SwaggerUIBundle
ui.initOAuth({
clientId: "your-client-id",
clientSecret: "your-client-secret-if-required",
realm: "your-realms",
appName: "your-app-name",
scopeSeparator: " ",
scopes: "openid profile",
additionalQueryStringParams: {test: "hello"},
useBasicAuthenticationWithAccessCodeGrant: true,
usePkceWithAuthorizationCodeGrant: true
})