Swagger Client Credentials OAuth Configuration

[time...@gmail.com]

Hello,

I been trying for couple days swagger, and have been having some trouble understanding and implementing it.

At first i thought it supports OAuth flows, but it seems a user have to extend existing index page and implement on his own.

I want to ask, for what purpose this configuration is declared in swagger config:

.EnableSwagger("docs/{apiVersion}/help", c =>

                    {

                        c.SingleApiVersion("v1", "API ussage");

                        var baseDirectory = AppDomain.CurrentDomain.BaseDirectory;

                        var fileName = Assembly

                            .GetExecutingAssembly()

                            .GetName()

                            .Name + ".XML";

                        var commentsFile = Path.Combine(baseDirectory, "bin", fileName);

                        c.IncludeXmlComments(commentsFile);

                        c.OAuth2("oauth2")

                            .Description("client credentials grant flow")

                            .Flow("application")

                            .Scopes(scopes => scopes.Add("someScope", "try out the sample api"))

                            .TokenUrl("http://....../identity/connect/token");

                        c.OperationFilter<AssignOAuth2SecurityRequirements>();

                    })

            

                .EnableSwaggerUi("help/{*assetPath}", c =>

                {

                    c.DisableValidator();

                    c.DocExpansion(DocExpansion.List);

                    c.EnableOAuth2Support("client", "secret", "", "someScope");

                });

and AssignOAuth2SecurityRequirements

 public class AssignOAuth2SecurityRequirements : IOperationFilter

        {

            public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)

            {

                //All methods are secured by default, 

                //unless explicitly specifying an AllowAnonymous attribute.

                if (apiDescription != null)

                {

                    var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline();

                    var allowsAnonymous = actFilters.Select(f => f.Instance).OfType<OverrideAuthorizationAttribute>().Any();

                    if (allowsAnonymous)

                        return; 

                }

                if (operation.security == null)

                    operation.security = new List<IDictionary<string, IEnumerable<string>>>();

                var oAuthRequirements = new Dictionary<string, IEnumerable<string>>

                {

                    {"oauth2", Enumerable.Empty<string>()}

                };

                operation.security.Add(oAuthRequirements);

            }

        }

   

    }

Why would i need such configuration? It does not seem to work, on simpliest OAuth client credential flow.

[ericjames...@outlook.com]

For what it's worth, I am in the same situation, or nearly so.  We use IdentityServer3 in C# Asp.Net environment with X.509 client certificate (https://someUrl/connect/token).  I can always get a token with Google's Postman.  With Swagger configured to use ApiKey, you can cut-and-paste the Postman-Token just one time into Swagger-UI to satisfy Authentication/Authorization requirements on all your controllers.  With the OAuth2 configuration, each controller/function with an [Authorize] requirement will present its own credential-entry-dialog.  That is 'letter-of-the-law' correct, I suppose, but not especially friendly to the interactive user.  So, the research will continue...