Forum Discussion

Luis1's avatar
New Contributor
3 years ago

How to restrict and disable Swagger url which is exposed to internet worldwide.

We have a web application(based on microservices) where UI API is exposed and every call from UI goes to Gateway API and based on request we redirect it to respective Apis. So in gateway we decrypt the encrpted email id coming from Ui and do further authentication. We are using swagger documentation for Gateway API to expose methods . We have configured Swagger in our project(built on .NET core) in Startup.cs . The issue is currently the swagger url is exposed to everyone across internet. We want to restrict only for microsoft internal users for which we want to use Azure Active Directory for authentication but we are not able to figure out how to add AAD authentication to swagger pipeline. When the user enters swagger url he should be redirected to AAD login page and then redirects to swagger url if at all he has ben authenticated. How to add authentication at url level only for swagger?We don't want to change our existing authentication for other APIs and also want to add authentication which works for swagger independently. Can someone share some insights?

1 Reply

  • Normally I'd recommend that as long as the API itself is protected, the API documentation doesn't really need to be. That is of course only my personal opinion. Assuming you still require protection of the API documentation, and thus SwaggerUI. 

    One way that comes to mind is to use something like Keycloak to add a layer of protection in front of your SwaggerUI URL. I believe it works quite well and is open source for the most part.


    However adding that type of protection is outside of scope for Swagger, so there may be better approaches. 

    Hope it helps and you find success!