Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swagger UI should automatically inject Authorization header when JWT is specified. #18614

Closed
cpilson opened this issue Jul 12, 2021 · 11 comments · Fixed by #19148
Closed

Swagger UI should automatically inject Authorization header when JWT is specified. #18614

cpilson opened this issue Jul 12, 2021 · 11 comments · Fixed by #19148
Assignees
Milestone

Comments

@cpilson
Copy link

cpilson commented Jul 12, 2021

Describe the bug

From https://stackoverflow.com/questions/68327095/how-do-i-properly-auth-with-jwt-to-openapi-ui-for-quarkus-smallyre-jwt

The UI doesn’t inject the Authorization header into the cURL command.

Expected behavior

The UI should inject -H “Authorization: <type> <JWT>” into the cURL command.

Actual behavior

CURL happens without a -H ”Authorization…” entry.

How to Reproduce?

  1. application.yml:
    
    smallrye-openapi:
      ...
      jwt-bearer-format: JWT
      jwt-security-scheme-value: Bearer
      security-scheme: jwt
  1. Run using the dev profile, head to localhost, pull up the Swagger UI page, put anything into the authentication padlock, click on a secured endpoint, see missing header in CURL and 401 response.

Output of uname -a or ver

No response

Output of java -version

11.0.2 (OpenJDK)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.0.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 6.8.3
------------------------------------------------------------

Build time:   2021-02-22 16:13:28 UTC
Revision:     9e26b4a9ebb910eaa1b8da8ff8575e514bc61c78

Kotlin:       1.4.20
Groovy:       2.5.12
Ant:          Apache Ant(TM) version 1.10.9 compiled on September 27 2020
JVM:          11.0.2 (Oracle Corporation 11.0.2+9)
OS:           Windows 10 10.0 amd64

Additional information

No response

@quarkus-bot
Copy link

quarkus-bot bot commented Jul 12, 2021

/cc @MikeEdgar, @phillip-kruger, @sberyozkin

@phillip-kruger
Copy link
Member

Hi thanks for this. Do you have a reproducer ?

@cpilson
Copy link
Author

cpilson commented Jul 12, 2021

Hi thanks for this. Do you have a reproducer ?

(I’m running this through my phone right now, apologies.)

Sorry, as in, another person who has run into this?

@phillip-kruger
Copy link
Member

As in a small app you can share that show the error.
(that makes it easier to look into the issue)

@cpilson
Copy link
Author

cpilson commented Jul 12, 2021

As in a small app you can share that show the error.
(that makes it easier to look into the issue)

Ah, cheers. Let me quickly bang something out and I’ll throw it into GitHub as a public repo. 👍🏻

@phillip-kruger
Copy link
Member

Thanks !

@cpilson
Copy link
Author

cpilson commented Jul 12, 2021

Thanks !

See https://github.com/cpilson/quarkus-smallrye-jwt-issue

I've repro'd just now. The JWT resource code is Sebi's, from Devoxx, so that'll look familiar. :D

@phillip-kruger
Copy link
Member

Great ! Thanks. Looking at it now.

@phillip-kruger
Copy link
Member

phillip-kruger commented Jul 12, 2021

Ok, You still need to indicate what method(s) the security should apply on. Example, adding

@SecurityRequirement(name = "SecurityScheme")

to the helloRolesAllowed method would add the token:

curl -X 'GET' \
  'http://localhost:8080/hello/secure-roles' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer asdfasdfasdf'

You can also name the the SecurityScheme (rather than using the default SecurityScheme) by adding this to application.properties:

quarkus.smallrye-openapi.security-scheme-name=Company Authentication

and then you would change the name in the @SecurityRequirement annotation.

If you do not want to use annotations on the methods, you can create a filter that add the SecurityRequirement to all the methods needed. There is no automatic way to do this a.t.m.

Hope this help.

@cpilson
Copy link
Author

cpilson commented Jul 12, 2021

Ok, You still need to indicate what method(s) the security should apply on. Example, adding

@SecurityRequirement(name = "SecurityScheme")

to the helloRolesAllowed method would add the token:

curl -X 'GET' \
  'http://localhost:8080/hello/secure-roles' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer asdfasdfasdf'

You can also name the the SecurityScheme (rather than using the default SecurityScheme) by adding this to application.properties:

quarkus.smallrye-openapi.security-scheme-name=Company Authentication

and then you would change the name in the @SecurityRequirement annotation.

If you do not want to use annotations on the methods, you can create a filter that add the SecurityRequirement to all the methods needed. There is no automatic way to do this a.t.m.

Hope this help.

User error? Oh man, I am so sorry about that. :( Thank you so much for looking into it.

@phillip-kruger
Copy link
Member

phillip-kruger commented Jul 12, 2021

No problem. It's not really a user error. I guess we could try and add a property to auto-add all methods that also have RolesAllowed. Let's keep this open and I can look into that. Basically, if there is only one SecurityScheme, and the auto-add config is enabled, then we do it. The only problem is that the filter has no knowledge of the other annotation on a method, but I think the extension should be able to pass it in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants