Client credentials location - request body as default option
Is there any possibility to set 'Request body' option as default one in authorization modal?
Solved! Go to Solution.
This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:
Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
RFC 6749 § 2.3.1
We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.
In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.
Thank you for your comprehensive answer 🙂