swagger-ui is not mapping oauth2-redirect.html

[btsibr]

Describe the bug
In Quarkus, swagger-UI sets the redirect_uri for OAUTH2 requests to /oauth2-redirect.html. If this file doesn't exist, the Authorize dialog (after asking for scopes) returns to a 404 page (that includes a suggestion for /webjars/swagger-ui/3.20.9/oauth2-redirect.html).

Quarkus 0.25.0 w/ swagger-ui and smallrye-jwt extensions.

Expected behavior
The authorize dialog successfully returns to swagger-ui with a token.

This can currently be validated by extracting oauth2-redirect.html from the swagger-ui webjar and placing it in src/main/resources/META-INF.

Expectation is that one of the following happens:

• swagger-ui extension correctly configures swagger's redirect_uri to be /swagger-ui/oauth2-redirect.html (respecting parameters that may have changed /swagger-ui)
• OR Quarkus is configured to respond to /oauth2-redirect.html

Actual behavior
The Authorize dialog (after asking for scopes) returns to a 404 page (that includes a suggestion for /webjars/swagger-ui/3.20.9/oauth2-redirect.html).

To Reproduce
Steps to reproduce the behavior:

1. Follow the JWT quickstart steps from https://quarkus.io/guides/jwt-guide
2. Add the swagger-ui extension
3. Attempt to access the secured endpoint using the swagger-ui Authorize button

Environment (please complete the following information):

• CentOS7
• 1.8.0_222
• quarkus:dev
• 0.25.0

[btsibr]

I believe that it just needs to set the oauth2RedirectUrl when it modifies the swagger-ui index.html

https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/.

As an aside, it'd be nice to be able to set the validatorUrl.

[gsmet]

@irenakezic this might be a good issue for you. From what I can see, we need to expose oauth2-redirect.html when doing the Swagger UI magic.

Better check beforehand if it's still inaccessible as it's a pretty old issue.

[irenakezic]

@gsmet ok thx! I will give it a try but probably not before the weekend.

[irenakezic]

@btsibr I tried reproducing this but the Authorize dialog seems to work fine for me.
Could you share a exact project you use to reproduce this issue?
Did you add any open api annotations to your code or do you have an openapi.yaml to share?
Thanks!

[lucas-dclrcq]

Configuring smallrye-openapi like below I have the same issue :

@SecurityScheme(securitySchemeName = "oauth2",
        type = SecuritySchemeType.OAUTH2,
        description = "Authentication needed for this operation",
        flows = @OAuthFlows(
                implicit = @OAuthFlow(authorizationUrl = "http://localhost:8180/auth/realms/some_realm/protocol/openid-connect/auth"
                )
        )
)

I can successfully login, but am redirect to /oauth2-redirect.html.

When I manually prefix this path with /swagger-ui it works.

[Agh42]

I'm having the same problem here. I'm getting redirected to
"http://localhost:8070/oauth2-redirect.html".
The correct path in my case would be
"http://localhost:8070/swagger-ui/oauth2-redirect.html".

Can I change that within the @Securityscheme annotation somehow?

When I change the URL manually, the oauth2-redirect.html file is there (I can view the HMTL source), but authorization won't continue. I'm just looking at an empty page.

[Agh42]

The problem is that the redirect-url is determined in index.js without looking at the URL path:

const defaults ={
[...]
oauth2RedirectUrl: `${window.location.protocol}//${window.location.host}/oauth2-redirect.html`,

I did not find any place where I could overwrite this default. This means that Swagger-UI will not work for any path other than '/', correct?

[Agh42]

Ok - this is a top level configuration item for swagger-ui. It must be configured as described here:

https://github.com/shockey/swagger-ui/blob/master/docs/usage/configuration.md#how-to-configure

[gsmet]

@Agh42 considering we already update the URL in SwaggerUiProcessor#updateApiUrl(), I wonder if we could override that oauth2RedirectUrl too?

Would you be interested in giving it a try?

[viniciusfcf]

@btsibr Hi, I am trying to configure @Securityscheme with OAUTH2 and authorizationCode, however does not work using Quarkus 1.11.1.

I Tried To include the following properties unsuccessful

quarkus.swagger-ui.oauth2-redirect-url=http://localhost:8080/api/q/swagger-ui/
quarkus.swagger-ui.validator-url=localhost

Do you know what I missed?

[ThoSap]

Hi,

I'm having exactly the same issue as @lucas-dclrcq, @viniciusfcf, and @Agh42
I'm using Quarkus 1.11.2

@SecurityScheme(
    type = SecuritySchemeType.OAUTH2,
    securitySchemeName = "Keycloak Dev",
    description = "Keycloak Identity and Access Management",
    flows = @OAuthFlows(
        implicit = @OAuthFlow(
            refreshUrl = "http://localhost:8081/auth/realms/h2g/protocol/openid-connect/token",
            authorizationUrl = "http://localhost:8081/auth/h2g/master/protocol/openid-connect/auth",
            scopes = {
                @OAuthScope(
                    name = "microprofile-jwt",
                    description = "Microprofile - JWT built-in scope"
                ),
                @OAuthScope(
                    name = "profile",
                    description = "OpenID Connect built-in scope: profile"
                ),
                @OAuthScope(
                    name = "roles",
                    description = "OpenID Connect scope for add user roles to the access token"
                ),
                @OAuthScope(
                    name = "email",
                    description = "OpenID Connect built-in scope: email"
                ),
                @OAuthScope(
                    name = "web-origins",
                    description = "OpenID Connect scope for add allowed web origins to the access token"
                )
            }
        )
    )
)

[phillip-kruger]

Can you perhaps share a small project that reproduce this?

[phillip-kruger]

Is it basically that the oauth2-redirect.html is missing ? Or have you included it in your project ? I am busy making a change to add that to this extension, but a good test would be to add it to your application.

[phillip-kruger]

@ThoSap - do you perhaps have a small reproducer ?

[ThoSap]

@phillip-kruger If I have time I will prepare one today based on https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-keycloak-authorization-quickstart

[ThoSap]

@phillip-kruger sorry I did not find the time today to prepare the reproducer.

I just manually checked the app.jar of a Quarkus 1.11.2 prod build and found that indeed the file oauth2-redirect.html is missing in
app.jar:/META-INF/swagger-ui-files/oauth2-redirect.html

But even if the file would be there, the redirected context should be /q/swagger-ui/oauth2-redirect.html and not /oauth2-redirect.html

[phillip-kruger]

Ok that helps, I'll look at this today, if we make sure oauth2-redirect.html is relative to the swagger-ui index.html if should be ok.

[phillip-kruger]

The above mentioned PR will now include the oauth2-redirect.html.
I could not set the context automatically, but you can add it by setting this property:

quarkus.swagger-ui.oauth2-redirect-url=http://localhost:8080/q/swagger-ui/oauth2-redirect.html

We will have to make changes to the swagger-ui project to be able to pass in /q/swagger-ui/oauth2-redirect.html so that the js in swagger-ui append the host and port of the current page. If that is done, I can set this property automatically.

Hope that help. Please let me know.