OAuth2 to access the Swagger files

53 views
Skip to first unread message

Luiz Omori

unread,
Nov 28, 2016, 11:16:29 AM11/28/16
to Swagger
Hi,

I'm a bit confused on how to do it. My Swagger JSON files are protected (OAuth2) and I need to be able to do acquire an access token (Implicit or Authorization Code flows) from our OAuth2 server PRIOR to access the Swagger files. Note that our APIs are also protected by OAuth2 which may be distinct from the one used to protect the Swagger files. In resume, need help with #1 below.

1. Need to acquire access token from OAuth server A to retrieve the API X Swagger file.
2. Need to acquire access token from OAuth server B to call API X.

Regards,
Luiz

Luiz Omori

unread,
Nov 28, 2016, 12:07:37 PM11/28/16
to Swagger
Clarification: I'm talking about Swagger-UI. Sorry if this is not the appropriate forum and I would appreciate if anyone could redirect me accordingly.

tony tam

unread,
Nov 28, 2016, 12:11:18 PM11/28/16
to swagger-sw...@googlegroups.com
Take a look at http://petstore.swagger.io, which uses oauth2 for implicit flow.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Luiz Omori

unread,
Nov 28, 2016, 12:14:47 PM11/28/16
to swagger-sw...@googlegroups.com
Thanks. I did that but it appeared to me that was for #2 above. Are you sure I can use that mechanism to retrieve the access token BEFORE even accessing the Petstore JSON?

Regards,
Luiz

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/v6UN-av7ITI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

tony tam

unread,
Nov 28, 2016, 12:24:36 PM11/28/16
to swagger-sw...@googlegroups.com
If it’s something that happens before you get the swagger doc, you’ll have to do it on your own.  That’s outside the scope of the project

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

Luiz Omori

unread,
Nov 28, 2016, 12:58:06 PM11/28/16
to Swagger
Well, part of it (OAuth server login) happens before however we still need to inject the Authorization Bearer header for the Swagger file retrieval.

I've seen this in the documentation which seems promising but not quite sure how to use it or if indeed that's going to help. Do you have any examples using this parameter?

authorizationsAn authorization object to be passed to swagger-js. Setting it here will trigger inclusion of any authorization or custom signing logic when fetching the swagger description file. Note the object structure should be { key: AuthorizationObject }

Regards,
Luiz

tony tam

unread,
Nov 28, 2016, 1:01:59 PM11/28/16
to swagger-sw...@googlegroups.com
You can pass a header to the constructor of the swagger-ui object, which will be used when fetching the document.  Take a look at the swagger-ui constructor options in the repo for details.

Luiz Omori

unread,
Nov 29, 2016, 11:36:55 AM11/29/16
to Swagger
Maybe I'm missing something but I've tracked down the call that is retrieving the Swagger file and don't see how the Authorization header can be inserted there.

window.swaggerUi.load() -> new SwaggerClient -> SwaggerClient.initialize -> SwaggerClient.build. In this method, obj is being constructed and the headers field is set only with 'accept'. This is passed down to SwaggerHttp().execute(obj, this.options) which sets some interceptors, and then calls SuperagentHttpClient.execute which takes the 'accept' header from obj but nothing from this.options. Maybe the last method in this chain should also take headers from this.options'?

Regards,
Luiz

Luiz Omori

unread,
Nov 30, 2016, 2:34:03 PM11/30/16
to Swagger
Never mind. The code below will inject the Authorization header (OAuth2 Bearer) for the Swagger JSON retrieval.

   function load(url, accessToken) {
      hljs.configure({
        highlightSizeThreshold: 5000
      });

      // Pre load translate...
      if(window.SwaggerTranslator) {
        window.SwaggerTranslator.translate();
      }

      var parameters = {
        url: url,
        dom_id: "swagger-ui-container",
        supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
        onComplete: function(swaggerApi, swaggerUi){

          if(typeof initOAuth == "function") {
            initOAuth({
              clientId: "client",
              clientSecret: "secret",
              realm: "your-realms",
              appName: "Test Client",
              scopeSeparator: " ",
              additionalQueryStringParams: {}
            });
          }

          if(window.SwaggerTranslator) {
            window.SwaggerTranslator.translate();
          }
        },
        onFailure: function(data) {
          log("Unable to Load SwaggerUI");
        },
        docExpansion: "none",
        jsonEditor: false,
        defaultModelRendering: 'schema',
        showRequestHeaders: true
      };

      if (accessToken) {
        parameters.authorizations = {
          authorization_header: function() {
            log('Authorizations execution');
            this.headers.Authorization = 'Bearer ' + accessToken;
            return true;
          }
        };
      }

      window.swaggerUi = new SwaggerUi(parameters);

      window.swaggerUi.load();

    }

Reply all
Reply to author
Forward
0 new messages