Authentication in Swagger UI

[Andrew McFarland Campbell]

Hi,

 

I need help with authorization for an API that I am developing a Swagger UI console for.

 

The first thing you do with the console is log in. When you log successfully, you get the following Response Body:

 

{

  "access_token": "some_token",

  "token_type": "OAuth2",

  "systemId": "some_id",

  "accountType": "0",

  "expires_in": "3599",

  "tenant_id": "com.example",

  "scope": "MyScope"

}

 

Subsequent API requests need to use the values of the systemId and access_token fields: the systemId should be used as the value of a path parameter called userUid, and the access_token is used as part of a header parameter called Authorization, which looks like this: 'NWB token="$access_token" authVersion="1.0" ', where $access_token is the value of access_token.

 

While users can just copy and paste, it would be nicer of the default values of userUid and Authorization could be picked up automatically.

 

Can anyone give me any pointers about how to do this?

[Josh Ponelat]

One approach would be to use a response interceptor (https://github.com/swagger-api/swagger-js/blob/4aab2557a6625cbf800f05d0f121f8cc56817ba7/test/client.js#L367)

create a responseInterceptor that matches the url (or header, or any part of the response) that has the credentials. 

If it matches, you can setup the credentials with an authorization... https://gist.github.com/ponelat/84134deaf42bffe3f194

NOTE: that is an untest sample, still need to test it, flesh it out perhaps?

Hope that helps :)

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrew McFarland Campbell]

What would the end user see with a response interceptor? Would the Authorization and userUid fields be filled out on the console?

[Josh Ponelat]

The console? Perhaps I misunderstood, the snippet is for adding authorization data once the user fires a request.
So if one of your 'Try it out' operations is to fetch the authorization data, it would populate swagger-ui with the received data and all 'Try it out' operations after that, would be authorized.

--

[Andrew McFarland Campbell]

I may not have explained it very well.

I have two types of 'Try it out' operations: logging in, and everything else.

Each operation in everything else has (at least) two fields: userUid, and Authorization.

What I want is that, after logging in, each 'everything else' operation has the userUid and Authorization fields populated, based on information returned by the log in operation.

That way, the end user could use the userUid and Authorization that the login provided, or they could edit them if they needed to.

An alternative solution would be to add an extra field at the level of the api_key field, and the userUid information could be entered there. Is that possible?

[Josh Ponelat]

Ok, my idea was to do that under the hood (so it would be authenticated, but you wouldn't know it - from looking at it)
You'd like to see it in the text boxes? makes sense.
In that case I would just populate those text boxes (using jQuery or something), based on the responseInterceptor.
Once you have the values, its really up to you what you'd like to do with them. And to get those values, best bet would be to use the responseInterceptor.

--

[Andrew McFarland Campbell]

That sounds perfect :)

However, I've never used a responseInterceptor before, let alone used one to populate the fields in a Swagger UI. Can you give me pointers to documentation on how to do that? Or even a few examples? I looked at the links you provided earlier, and I couldn't see how to get started :(

[Josh Ponelat]

I'm afraid this is a little outside the scope of using swagger-ui. While its certainly possible, and not that hard (if you work with JS everyday) But you won't find Docs specific to your exact needs.

This is a two step problem.
One is getting the auth values. That's the requestInterceptor, which will get called for /every/ request that swagger-ui (or swagger-js underneath) makes. So you'll need to look at the URL or headers to see if it was your auth-fetching-request.

Two is adding the above auth values to each request.
Swagger-ui (again its actually swagger-js, who does the real work) has a way of doing that by adding an 'Authorization' function, which you give a name. You can look at docs on how to do that ( I don't see an immediate example), but take a look at the petstore example (which uses "api_token" as an auth - that is a name the authors gave, it could easily be something of your choosing.)

The trick would be in combining them. Which is what my sample tries to do.

--

[Andrew McFarland Campbell]

Yes, I've been thinking that it might be a bit too much to implement this at the moment.

The project I'm working on has a lot of other interesting factors, like generating the swagger from almost-but-not-quite standard WADL. I think I'm going to add the auto-filling to the list of features for the future.

If and when I get something working I'll share it here.

Thanks for your help :)

[Josh Ponelat]

Cool,

Its a good idea, having an operation authenticate the current "session".

Might be good to have around, like a plugin of sorts :)

--