Swashbuckle Swagger UI padlocks with OAS3

Question

I have an ASP.Net Core Rest Web API documented with Swashbuckles's Swagger generation (.net v5 and Swashbuckle.AspNetCore v5.6.3). It generates Swagger documentation and UI with OAS3 support.

Also my API uses JWT bearer tokens. So, I added this code to the swagger configuration:

options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
{
    In = ParameterLocation.Header,
    Name = "Authorization",
    Type = SecuritySchemeType.ApiKey,
    Description = "Put `bearer` keyword in front of token"
});

options.AddSecurityRequirement(new OpenApiSecurityRequirement()
{
    {
        new OpenApiSecurityScheme()
        {
            Reference = new OpenApiReference()
            {
                Id = "Bearer",
                Type = ReferenceType.SecurityScheme
            }
        },
        Array.Empty<string>()
    }
});

And as expected, it added the authorization capability to the Swagger UI:

But I also noticed a few padlocks next to every HTTP request. They are unlocked before authorization:

And after authorization they lock:

How could I get these padlocks to signal if authorization is required or not (I think I've seen the same padlocks somewhere doing this and it seems pretty natural to them to do this kind of thing as well)?

Already tried something like that, but it did not work (request headers no longer contained the jwt token):

options.OperationFilter<SecurityRequirementsOperationFilter>();

I figured out that the problem is that my Swagger is using OAS3 and SecurityRequirementsOperationFilter depending on OAS2. I've tried looking for alternatives, but it looks like there are no similar tools for OAS3.

What should I do? Should I forget this feature? But that looks like the only purpose of these locks. Are there any ways to have this feature and stay with OAS3 (also I not sure if I really need OAS3 support that much).

Answer 1

After some research, I found the answer here: https://stackoverflow.com/a/61365691/13851956.

So the code is:

options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
{
    Description = "No need to put the `bearer` keyword in front of token",
    Type = SecuritySchemeType.Http,
    Scheme = "bearer",
    BearerFormat = "JWT"
});
options.OperationFilter<AuthorizationOperationFilter>();

public class AuthorizationOperationFilter : IOperationFilter
{
    public void Apply(OpenApiOperation operation, OperationFilterContext context)
    {
        var actionMetadata = context.ApiDescription.ActionDescriptor.EndpointMetadata;
        var isAuthorized = actionMetadata.Any(metadataItem => metadataItem is AuthorizeAttribute);
        var allowAnonymous = actionMetadata.Any(metadataItem => metadataItem is AllowAnonymousAttribute);
        if (!isAuthorized || allowAnonymous)
        {
            return;
        }
        
        operation.Parameters ??= new List<OpenApiParameter>();
        operation.Security = new List<OpenApiSecurityRequirement>
        {
            new OpenApiSecurityRequirement
            {
                {
                    new OpenApiSecurityScheme
                    {
                        Reference = new OpenApiReference
                        {
                            Id = "Bearer",
                            Type = ReferenceType.SecurityScheme
                        }
                    },
                    Array.Empty<string>()
                }
            }
        };
    }
}

The result is that padlocks appears only next to actions that a marked with [Authorize] and not marked with [AllowAnonymous] attributes: