14

I am using Swashbuckle.AspNetCore 5.0.0 to generate Swagger documentation for my .Net Core WebApi project, and for the most part, everything is going fine.

I have set up some simple authentication using ApiKey, and that is working good.

Where I am having problems now is getting Swagger to add an ApiKey into the header of my requests. I followed the instructions for added the ApiKey security Definition/requirement, as mentioned in these various posts:

API key in header with swashbuckle

Empty authorization header on requests for Swashbuckle.AspNetCore

How to force Swagger/Swashbuckle to append an API key?

However, the ApiKey value is never added to the Header.

This is what I have in my startup:

c.AddSecurityDefinition("ApiKey",
    new OpenApiSecurityScheme
    {
         Description = "ApiKey must appear in header",
         Type = SecuritySchemeType.ApiKey,
         Name = Constants.ApiKeyHeaderName,
         In = ParameterLocation.Header
     });

and

c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
   { 
       new OpenApiSecurityScheme 
       {
            Name = Constants.ApiKeyHeaderName, 
            Type = SecuritySchemeType.ApiKey, 
            In = ParameterLocation.Header
       },
       new List<string>()}
    });
Justin Greywolf
  • 650
  • 7
  • 17

3 Answers3

14

I was struggling myslef with this one but figured out that besides adding proper Reference, you have to also specify Scheme in definition, this is the code that is working for me correctly:

c.AddSecurityDefinition("ApiKey", new OpenApiSecurityScheme()
{
    Name = "x-api-key",
    In = ParameterLocation.Header,
    Type = SecuritySchemeType.ApiKey,
    Description = "Authorization by x-api-key inside request's header",
    Scheme = "ApiKeyScheme"
});

var key = new OpenApiSecurityScheme()
{
    Reference = new OpenApiReference
    {
        Type = ReferenceType.SecurityScheme,
        Id = "ApiKey"
    },
    In = ParameterLocation.Header
};
var requirement = new OpenApiSecurityRequirement
{
   { key, new List<string>() }
};
c.AddSecurityRequirement(requirement);
Pawel Gradecki
  • 3,476
  • 6
  • 22
  • 37
  • Ty been looking for that! Only way I found working! – Philippe Jun 19 '20 at 01:01
  • @TheWizardOfTN not sure what do you mean? you provide the key yourself (in the browser, after opening swagger), you need to authorize the Swagger before you can use the APIs – Pawel Gradecki Dec 14 '21 at 11:03
  • Note that `Scheme = "ApiKeyScheme"`` is not required, and as a matter of fact is not a valid value. The doc says it has to be an RFC7235 value, the list of names is visible here https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml – Mickael V. Apr 07 '22 at 20:22
8

Important tip is name in AddSecurityDefinition must be the same as Id in OpenApiReference. name can be every string.

Meh Man
  • 463
  • 1
  • 6
  • 22
  • I was struggling to find why my Swagger UI was not sending the headers in correctly with the call. The reason was the OpenApiReference Id was not the same as the Definition Name. Thanks mate! – Danny Boy Feb 03 '21 at 11:48
  • Something must have broken in Version 6.5 or earlier, swagger isn't sending the API key :( – Martin Kirk Apr 21 '23 at 10:00
6

OK, I was finally able to get this to work. I needed to add an instance of OpenApiReference to the OpenApiSecurityScheme object provided to c.AddSecurityRequirement()

Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "ApiKeyAuth" }

I have to say that the documentation on this is a bit confusing. Probably not in small part due to the fact that anything posted on the internet is there forever, and so many posts that I found on this whole thing were no longer applicable due to changes in the framework :)

Now I just need to figure out how to send another header value along with the api-key, and I'll be done with this part

Justin Greywolf
  • 650
  • 7
  • 17
  • As the answer bellow suggests by @Meh Man the Id above needs to be the same as the SecurityDefinition Name. Swashbuckle.AspNetCore v5.5.1. – Danny Boy Feb 03 '21 at 11:49