Swagger-UI Authorize Button requires at least 1 scope?

1,939 views
Skip to first unread message

Ron Dagostino

unread,
Dec 22, 2016, 4:02:44 PM12/22/16
to Swagger
Hi folks.  Swagger-UI provides an "Authorize" button at the top of the page, and the resulting dialog requires at least 1 scope be enabled before the UI will attempt to get a token (at least with the application/client_credentials flow and the recently-merged password flow; I haven't tried other flows).  Yet if there are endpoints that require authentication but no particular scope (i.e. they are open to any authenticated client regardless of the token scope) then it becomes necessary to authorize via the little icon that appears next to actual endpoint further down in the UI -- the "Authorize" button won't let me get empty tokens.  It seems reasonable to me that I might want to request an empty token via the "Authorize" button at the top of the UI.  Does this seem reasonable to others, and this should be created as an issue, or am I missing something?

Ron

Ron Ratovsky

unread,
Dec 22, 2016, 4:38:23 PM12/22/16
to swagger-sw...@googlegroups.com

It’s tricky.

 

From the spec - https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject:

 

“Each name must correspond to a security scheme which is declared in the Security Definitions. If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.”

 

Meaning, the scopes are not optional…

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ron Dagostino

unread,
Dec 22, 2016, 5:36:08 PM12/22/16
to swagger-sw...@googlegroups.com
I've confirmed that the "Authorize" Button will in fact authorize and retrieve an empty token if my yaml definition declares no scopes (in other words, all endpoints are available to authenticated users and don't require any particular scope).

Ron
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggers...@googlegroups.com.

Ron Dagostino

unread,
Dec 22, 2016, 9:09:10 PM12/22/16
to Swagger
Perhaps I should be more specific.  Given this:

securityDefinitions:
  bearerToken:
    type: oauth2
    description: An OAuth 2 bearer token
    flow: application
    tokenUrl: https://example.com/whatever
    scopes: {}


The "Authorize" button will retrieve an empty token.  All of my endpoints appear like this, of course:

security:
  - bearerToken: []
:
Now if I add a new endpoint, and that endpoint happens to require a particular scope, I have to adjust my securityDefinitions:

securityDefinitions:
  bearerToken:
    type: oauth2
    description: An OAuth 2 bearer token
    flow: application
    tokenUrl: https://example.com/whatever
    scopes: {scope1: scope1 description}


And now I have my new endpoint:

security:
  - bearerToken: [scope1]

All of a sudden the "Authorize" button will not do anything unless I enable the "scope1" checkbox.

This feels like a bug to me -- I should still be able to authenticate and get an empty token if I want to.

Ron


On Thursday, December 22, 2016 at 5:36:08 PM UTC-5, Ron Dagostino wrote:
I've confirmed that the "Authorize" Button will in fact authorize and retrieve an empty token if my yaml definition declares no scopes (in other words, all endpoints are available to authenticated users and don't require any particular scope).

Ron

On Dec 22, 2016, at 4:38 PM, Ron Ratovsky <r...@swagger.io> wrote:

It’s tricky.

 

From the spec - https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject:

 

“Each name must correspond to a security scheme which is declared in the Security Definitions. If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.”

 

Meaning, the scopes are not optional…

 

 

 

 

From: <swagger-swaggersocket@googlegroups.com> on behalf of Ron Dagostino <rnd...@gmail.com>
Reply-To: "swagger-swaggersocket@googlegroups.com" <swagger-swaggersocket@googlegroups.com>
Date: Thursday, 22 December 2016 at 13:02
To: Swagger <swagger-swaggersocket@googlegroups.com>
Subject: Swagger-UI Authorize Button requires at least 1 scope?

 

Hi folks.  Swagger-UI provides an "Authorize" button at the top of the page, and the resulting dialog requires at least 1 scope be enabled before the UI will attempt to get a token (at least with the application/client_credentials flow and the recently-merged password flow; I haven't tried other flows).  Yet if there are endpoints that require authentication but no particular scope (i.e. they are open to any authenticated client regardless of the token scope) then it becomes necessary to authorize via the little icon that appears next to actual endpoint further down in the UI -- the "Authorize" button won't let me get empty tokens.  It seems reasonable to me that I might want to request an empty token via the "Authorize" button at the top of the UI.  Does this seem reasonable to others, and this should be created as an issue, or am I missing something?

Ron

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

Ron Ratovsky

unread,
Dec 22, 2016, 9:21:53 PM12/22/16
to swagger-sw...@googlegroups.com

I understand that, but the spec says the scopes are required, so effectively, you have to enable them. I’d argue that the UI shouldn’t give you the choice and enable all by default.

If you want to have both options, you can use the same requirements, once with the scopes and once without.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to swagger-swaggers...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

louis_h...@yahoo.com

unread,
Dec 22, 2016, 11:06:39 PM12/22/16
to swagger-sw...@googlegroups.com

--------------------------------------------
On Fri, 12/23/16, Ron Ratovsky <r...@swagger.io> wrote:

Subject: Re: Swagger-UI Authorize Button requires at least 1 scope?
To: "swagger-sw...@googlegroups.com" <swagger-sw...@googlegroups.com>
Date: Friday, December 23, 2016, 4:21 AM

#yiv4636087292
#yiv4636087292 --

_filtered #yiv4636087292 {font-family:Arial;panose-1:2 11 6
4 2 2 2 2 2 4;}
_filtered #yiv4636087292 {panose-1:2 7 3 9 2 2 5 2 4 4;}
_filtered #yiv4636087292 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv4636087292 {font-family:Calibri;panose-1:2 15
5 2 2 2 4 3 2 4;}
#yiv4636087292
#yiv4636087292 p.yiv4636087292MsoNormal, #yiv4636087292
li.yiv4636087292MsoNormal, #yiv4636087292
div.yiv4636087292MsoNormal
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv4636087292 a:link, #yiv4636087292
span.yiv4636087292MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv4636087292 a:visited, #yiv4636087292
span.yiv4636087292MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv4636087292 p
{margin-right:0cm;margin-left:0cm;font-size:12.0pt;}
#yiv4636087292 span.yiv4636087292EmailStyle18
{font-family:Calibri;color:windowtext;}
#yiv4636087292 span.yiv4636087292msoIns
{text-decoration:underline;color:teal;}
#yiv4636087292 .yiv4636087292MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv4636087292 {margin:72.0pt 72.0pt 72.0pt
72.0pt;}
#yiv4636087292 div.yiv4636087292WordSection1
{}
#yiv4636087292 I understand
that, but the spec says the scopes are required, so
effectively, you have to enable them. I’d argue that the
UI shouldn’t give you the choice and enable all by
default.If you want to
.Prezentati raporturile dintre revolutia romana si cea maghiara in 1848.

Ron Dagostino

unread,
Dec 23, 2016, 12:22:01 AM12/23/16
to swagger-sw...@googlegroups.com
True, the spec says "the value is a list of scope names required for the execution."  But it doesn't says that the list must be non-empty.  In fact it is empty in the first part of the example I gave, and the UI works just fine; it works fine when ALL the executions are defined this way.  But as soon as we add an execution that requires a non-empty scope -- the button won't make a request unless you enable at least one scope.  My reading of this situation is that either there is a bug in the UI or the spec mandates that all endpoints (aka executions) must have a non-empty scope.  I don't think there is any other option besides one of these two.  Authorizing any authenticated person is the case where the scope can be empty and the execution will still be allowed.  I have that use case.

Ron Ratovsky

unread,
Dec 23, 2016, 10:10:58 AM12/23/16
to swagger-sw...@googlegroups.com

I see, did not get that it’s what you’re experiencing.

Yes, absolutely, if the list of scopes is empty, the UI should definitely allow it to be executed regardless of other definitions.

Would you mind opening a ticket on the project?

Ron Dagostino

unread,
Dec 23, 2016, 11:13:37 AM12/23/16
to Swagger

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to a topic in the Google Groups "Swagger" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/swagger-swaggersocket/XY40k5NPlHg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to swagger-swaggersocket+unsub...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

vickers...@yahoo.com

unread,
Dec 23, 2016, 12:04:14 PM12/23/16
to swagger-sw...@googlegroups.com

--------------------------------------------
On Fri, 12/23/16, Ron Dagostino <rnd...@gmail.com> wrote:

Subject: Re: Swagger-UI Authorize Button requires at least 1 scope?
To: "Swagger" <swagger-sw...@googlegroups.com>
Date: Friday, December 23, 2016, 6:13 PM

Thanks,
Ron. 
https://github.com/swagger-api/swagger-ui/issues/2580.

Ron

On Friday, December 23, 2016 at 10:10:58 AM
UTC-5, Ron wrote:I see, did not
get that it’s what you’re experiencing.Yes,
absolutely, if the list of scopes is empty, the UI should
definitely allow it to be executed regardless of other
definitions.Would you mind
default.If you want to
have both options, you can use the same requirements, once
with the scopes and once without.   From:
<swagger-sw...@
googlegroups.com> on behalf of Ron Dagostino <rnd...@gmail.com>
Reply-To: "swagger-sw...@ googlegroups.com"
<swagger-sw...@
googlegroups.com>
securityRequirementObject: “Each name
must correspond to a security scheme which is declared in
the Security
Definitions. If the security scheme is of type
"oauth2", then the value is a list of scope names
required for the execution. For other security scheme types,
the array MUST be empty.” Meaning, the
scopes are not optional…    From:
<swagger-sw...@
googlegroups.com> on behalf of Ron Dagostino <rnd...@gmail.com>
Reply-To: "swagger-sw...@ googlegroups.com"
<swagger-sw...@
googlegroups.com>
from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
DATE PRIVIND STRUCTURA CONFESIONALa A LOCUITORILOR SPAtIULUI
Reply all
Reply to author
Forward
0 new messages