-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Authentication problem with 6.6.2 #2939
Comments
Is it possible for you to share what the rendered JavaScript in the HTML page looks like please? |
Thank you hugely for helping. Here it is:
|
Thanks - it looks like the changes I made to use System.Text.Json to support native AoT have broken the rendering here: var interceptors = JSON.parse('{"RequestInterceptorFunction":"(req) =\u003E { if (req.url.endsWith(\u0027connect/token\u0027) \u0026\u0026 req.body) req.body \u002B= \u0027\u0026client_id=\u0027 \u002B client_id.value \u002B \u0027\u0026client_secret=\u0027 \u002B client_secret.value; return req; }"}'); |
Really appreciate you for looking into it, than you. We'll stay on 6.5.0 as it's not problem to do so, I was just keeping our versions up to date. |
I notice we don't seem to have any test coverage for this area, so that's something we'll also need to sort out when this is fixed.
Ignore, doesn't work. app.UseSwaggerUI(c =>
{
// Your configuration, then:
c.JsonSerializerOptions = new()
{
Converters = { new JsonStringEnumConverter(JsonNamingPolicy.CamelCase, false) },
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
};
}); Edit: nevermind, that isn't the fix or reason. |
I've found the reason for this issue and it both is and isn't our fault 😄 In [email protected], which is included with v6.5.0, the name of the HTML element highlighted in red below has an <input id="client_id" type="text" data-name="clientId"> In [email protected], which is included with v6.6.2, the element has a different ID of <input id="client_id_authorizationCode" type="text" data-name="clientId">
If I change your interceptor function like below to use c.UseRequestInterceptor(
"" +
"(req) => {" +
" if (req.url.endsWith('connect/token') && req.body) {" +
" req.body += '&client_id=' + client_id_authorizationCode.value + '&client_secret=' + client_secret_authorizationCode.value;" +
" return req;" +
" }" +
"}"); So this is our fault in one way because we updated swagger-ui-dist to v5, but it also has two other contributing factors. The first is that swagger-ui did some UI refactoring and renamed the page element. I don't know if this is considered part of their public API surface area or not, but at face value it looks like an implementation detail to me that isn't intended to be something that's relied on. If it is part of their public surface area and covered by the v5 breaking changes, this feels quite out of scope of the sort of things we should be expected to find/detect/react-to within the library. We did test that there was nothing obviously breaking with the update from v4 to v5 and didn't find anything, which is why it seemed safe to include in v6.6 (rather than needing it be part of a v7 as it was a major update). If it isn't part of their public API surface area, then in that case the second issue is that you depended on an implementation detail of Swagger UI to get the client ID in your interceptor function. From looking at {
"url":"/auth-server/connect/token",
"method":"post",
"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/x-www-form-urlencoded","X-Requested-With":"XMLHttpRequest"},
"body":"grant_type=authorization_code&code=Skg5ZRCelpGhVkzSao1QGsdZno78PONgZikGhSt0KbA&client_id=test-id&client_secret=test-secret&redirect_uri=https%3A%2F%2Flocalhost%3A5001%2Fresource-server%2Fswagger%2Foauth2-redirect.html&code_verifier=xPn7nrFvaxiTu2Z2K1JcMtHNkWY3JW5KrJtaO3Toz3c"
} The client ID and client secret appear to be already set, so I'm not sure why you need to set it. I'm going to leave this issue open for now as I found a few things to tweak while investigating this, but for the original issue you need to either remove your interceptor (because the client ID and secret appear to be set anyway), or to use the new input values to access their values. |
See #2942 for the changes I mentioned, otherwise I think this is now resolved from our perspective. |
Describe the bug
Upgrading from 6.50 to 6.6.2 caused our authentication system to stop working. We have a separate identity server using client credentials and with 6.6.2 we are always getting the error:
Reverting just Swashbuckle.AspNetCore back to 6.5.0 resolves the issue.
Our .AddSwaggerGen code:
In our UseSwaggerUI:
Expected behavior
No response
Actual behavior
No response
Steps to reproduce
No response
Exception(s) (if any)
No response
Swashbuckle.AspNetCore version
6.6.2
.NET Version
NET8
Anything else?
If there's any other information you need please let me know.
The text was updated successfully, but these errors were encountered: