Forum Discussion

benalabaster's avatar
benalabaster
New Member
9 months ago

How do I bypass the Available authorizations dialog?

tldr; I'm trying to bypass the Available authorizations dialog in the Swagger "Authorize" feature.

Context

I'm using Swagger 6.5.0 for an API I'm writing that defers to Microsoft Entra ID to authenticate/authorize.

I have registered my application, defined my return URL as a SPA application in the authentication blade in Azure. I have defined my scopes in the "Expose an API" blade. My users can connect to my API which triggers the authentication/authorization workflow and they can reference the endpoints using the token successfully.

I'm now trying to configure the Swagger document so it responds according to what the user has access to based on their role. I've got Swagger to show and hide operations based on whether a feature flag is enabled or disabled - that all works fine. 

I'm now trying to get it to hide and show operations based on whether or not the user has authorization to execute a certain operation which of course requires them to authenticate for Swagger. I've got the following configuration: 

builder.Services.AddSwaggerGen(options =>
{
var provider = builder.Services.BuildServiceProvider().GetRequiredService<IApiVersionDescriptionProvider>();

//Display Build Number
var assembly = Assembly.GetEntryAssembly();
var fileVersionAttribute = assembly.GetCustomAttribute<AssemblyFileVersionAttribute>();
var fileVersion = fileVersionAttribute?.Version;

foreach (var description in provider.ApiVersionDescriptions)
{
options.SwaggerDoc(
  description.GroupName,
    new Microsoft.OpenApi.Models.OpenApiInfo()
    {
    Title = $"My API {description.ApiVersion}",
      Version = description.ApiVersion.ToString(),
      Description = $"Build: {fileVersion}"
    });
}

// Apply the correct feature flag to each of the operations
// based on the FeatureFlag attribute of the controller method
options.OperationFilter<FeatureFlagSwaggerOperationFilter>();

// If the feature flag is disabled, don't include it in the
// swagger document
options.DocumentFilter<FeatureFlagSwaggerDocumentFilter>();

// Enable the oAuth2 security definition and requirement
options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Description = "OAuth 2.0 AuthorizationCode flow",
  Type = SecuritySchemeType.OAuth2,
  Flows = new OpenApiOAuthFlows
  {
  AuthorizationCode = new Microsoft.OpenApi.Models.OpenApiOAuthFlow
    {
    AuthorizationUrl = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize"),
      TokenUrl = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"),
      Scopes = new Dictionary<string, string>
      {
    { $"api://{clientId}/access", "Access API endpoints" },
      },
    }
  }
});
options.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
  new OpenApiSecurityScheme
    {
    Reference = new OpenApiReference
      {
      Type = ReferenceType.SecurityScheme,
        Id = "oauth2"
      }
    },
    Array.Empty<string>()
  }
});
});

builder.Build()

app.UseSwagger();
app.UseSwaggerUI(options =>
{
// Configure oAuth
options.OAuthClientId(clientId);
options.OAuthUsePkce();
options.OAuth2RedirectUrl($"{baseUrl}/swagger/oauth2-redirect.html");
options.OAuthScopeSeparator(" ");
options.OAuthScopes($"api://{clientId}/access");

// Set up the API version description
var provider = app.Services.GetRequiredService<IApiVersionDescriptionProvider>();
 foreach (var description in provider.ApiVersionDescriptions)
{
options.SwaggerEndpoint($"/swagger/{description.GroupName}/swagger.json", $"My API{description.ApiVersion}");
}
});

After the user clicks the Authorize button, the UI displays the Available authorizations modal dialog which requires the user to enter the client id, secret and select the appropriate scope.

Given that I've prepopulated the necessary information to continue the authentication workflow,  the dialog doesn't require the user to enter or select anything, so I'd like to suppress and bypass this dialog and instead immediately initiate the login process.

Nothing I try seems to be able to achieve this. Has anyone else done this successfully?

  • Humashankar's avatar
    Humashankar
    Champion Level 3

    Hi benalabaster 

    Directly bypassing the "Available authorizations" dialog in SwaggerHub for OAuth2 authorization is not a recommended approach. 

    This dialog serves a security purpose by allowing users to confirm the authorization scopes being requested by the API

    Hope this helps - Happy to help further!!
    Thank you very much and have a great one!

    Warm regards