Enable OAuth2 Implicit Flow authentication round-trip in Swagger UI #585
Conversation
|
@noirbizarre is this valuable? Does it look ok? In particular, do you see any downsides for someone not using the feature? |
|
Is it possible to get some feedback on this PR? Even if implicit flow was recently considered as unsafe (see latest RFC on this topic), this flow is still heavily used and not being able to use swagger-ui on implicit flow authenticated endpoints is a huge issue (swagger-ui is then useless for those endpoints). Now that this project is back from the dead, I would really like for this PR (if it works) to make it in the next release. Thanks again |
|
@SteadBytes can you take a look at this PR? |
|
Currently migrating an API to Flask + Restplus and running into this issue(Swagger-UI useless for any endpoints that use implicit auth). Any ETA on when this will be looked at? Want to know if I should start working on a workaround. |
|
I do apologise for the delay in reviewing this PR and for responding @alanjcastonguay. It's been a busy few weeks and our lead maintainer @noirbizarre is currently taking a break due to the recent birth of his son 😄 so we are awaiting his return before making a new release to PyPI for the recent influx of new features/bug fixes that we have merged into master. I will take a look at this PR ASAP 👍 |
|
Please correct me if I'm wrong, but I don't think that this addresses #544 🤔 This feature will set the Swagger UI |
|
This was several month ago so my memory is a bit lacking. But iirc the arbitrary Other url (for an OAuth2 IDP) is configured with |
Woot! |
|
@alanjcastonguay Ah yes that is correct thank you for clarifying. The code changes look good to me 👍 It would however be great if some documentation could be added for this - do you mind doing that? I will also ask for review from some fellow contributors 😄 |
The swagger-ui project contains a 'oauth2-redirect.html' file which provides a credential trampoline. Vendor it in, and place the external url to this file in swagger-ui.html. The OAuth2 authentication loop is run in a popup window/tab. The IDP will redirect back to the oauth2RedirectUrl with an access_token provided in the #hash-fragment of the url. Javascript running inside 'oauth2-redirect.html' pushes the access_token back to the parent which created the window/tab, before closing the tab. Enables use-case in #544 without adding another config param. Usage: ```python app.config.SWAGGER_UI_OAUTH_CLIENT_ID = 'MyClientId' app.config.SWAGGER_UI_OAUTH_REALM = '-' app.config.SWAGGER_UI_OAUTH_APP_NAME = 'Demo' api = Api( app, title='Demo', security={'OAuth2': ['read', 'write']}, authorizations={ 'OAuth2': { 'type': 'oauth2', 'flow': 'implicit', 'authorizationUrl': 'https://idp.example.com/authorize?audience=https://app.example.com', 'clientId': app.config.SWAGGER_UI_OAUTH_CLIENT_ID, 'scopes': { 'openid': 'Get ID token', 'profile': 'Get identity', } } } ) ```
|
@SteadBytes I pushed 7d5795b with some docs. Is that what you're looking for? |
ellieayla
changed the title
|
@alanjcastonguay Thank you for including the documentation - it is much appreciated! I have left a single comment in a review on it. If you're happy to address that I'll get this merged 👍 |
The swagger-ui project contains a
oauth2-redirect.htmlfilewhich provides a credential trampoline. Vendor it in, and
place the external url to this file in swagger-ui.html.
The OAuth2 authentication loop is run in a popup window/tab.
The IDP will redirect back to the oauth2RedirectUrl with an
access_token provided in the #hash-fragment of the url.
Javascript running inside 'oauth2-redirect.html' pushes the
access_token back to the parent which created the window/tab,
before closing the tab.
Enables use-case in #544 without adding another config param.
Usage: