Forum Discussion

dwiekropki's avatar
dwiekropki
New Contributor
6 years ago

Client credentials location - request body as default option

Hi!
Is there any possibility to set 'Request body' option as default one in authorization modal?

  • Hi,

     

    This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

     

    Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

    RFC 6749 § 2.3.1

     

    We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

     

    In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.

  • kyleshockey's avatar
    kyleshockey
    SmartBear Alumni (Retired)

    Hi,

     

    This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

     

    Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

    RFC 6749 § 2.3.1

     

    We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

     

    In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.