1

I have recently started a Web API 2 project in Visual Studio 2012 using OWIN middleware to authenticate users with OAuth2. I incorporated token based authentication as outlined on this tutorial (Token Based Authentication). The authentication part works great. I have added some testing API methods and I wanted to hook up Swagger for my API documentation. I got that part working too, with the exception that the API calls from Swagger fail on authorization.

After research, I found Erik Dahl's post about how to hook up Swagger to OWIN middleware. After I configured my Swagger according to the post, I now see the authenticate buttons on the Swagger UI next to each API method. However, when trying to authenticate, the authentication within Swagger is done using a GET request. The authentication on the web API though requires it to be POST request. Is it possible to configure Swagger make the authentication request a POST? If not, should I allow my API to accept GET requests for token authentication? What would be the best approach to make this work?

Note: The request still hits my authentication logic, but the client_id and client_secret are not passed in a GET request, only in a POST request.

Here's my Swagger config:

httpConfig
    .EnableSwagger(c =>
    {
        c.SingleApiVersion("v1", "Sample API");

        c.ApiKey("token")
            .Description("API Key Authentication")
            .Name("Bearer")
            .In("header");

        c.OAuth2("oauth2")
            .AuthorizationUrl("/oauth/token")
            .Flow("implicit")
            .Description("OAuth2 authentication")
            .Scopes(scopes =>
            {
                scopes.Add("sampleapi", "Sample API");
            });


        c.OperationFilter<AssignOAuth2SecurityRequirements>();
    })
    .EnableSwaggerUi(c =>
    {
        c.EnableOAuth2Support(
            clientId: "Sample_App",
            clientSecret: "xxxxx",
            realm: "test-realm",
            appName: "Swagger UI");
    });

And here's my OAuth config:

app.CreatePerOwinContext<ApiClientRepo>(ApiClientRepo.Create);
app.CreatePerOwinContext<MeetingRegistrantRepo>(MeetingRegistrantRepo.Create);

OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
    //For Dev enviroment only (on production should be AllowInsecureHttp = false)
    AllowInsecureHttp = true,
    TokenEndpointPath = new PathString("/oauth/token"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
    Provider = new CustomOAuthProvider(),
    AccessTokenFormat = new CustomJwtFormat("http://localhost:51071"),
    RefreshTokenProvider = new SimpleRefreshTokenProvider()
};

// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
Sebbo
  • 405
  • 2
  • 9
  • 15

1 Answers1

1

No, I would not change the authentication method from POST to GET just to satisfy Swagger.

I found another article which should help you do what you want to do here : http://danielwertheim.se/use-identityserver-in-swaggerui-to-consume-a-secured-asp-net-webapi/

It wold be worth to try it that way. Don't forget that changing from POST to GET means you can no longer pass the parameters in the body of the request and you will instead have to do it in the URL of the request and that makes the whole thing insecure.

Yes, the ClientID and ClientSecret will still be part of the Authorization Header, but still do not open yourself up to stuff like this. Swagger should not dictate the architecture of your API so don't go there.

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32
  • Andrei, although the article in your answer provides a possible workaround for my goal, I don't feel that I want to add all that baggage to the project. It's a small project and I figured if there's no easy solution to modify the Swagger config, I will just use Web API's Help Pages. They provide enough information for my API documentation. I believe that I will choose that route instead. And yes, I agree with you, I would not change the auth method from POST to GET either. – Sebbo Jul 07 '16 at 20:34