cancel
Showing results for 
Search instead for 
Did you mean: 

Client credentials location - request body as default option

SOLVED
New Contributor

Client credentials location - request body as default option

Hi!
Is there any possibility to set 'Request body' option as default one in authorization modal?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Client credentials location - request body as default option

Hi,

 

This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

 

Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

RFC 6749 § 2.3.1

 

We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

 

In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.

View solution in original post

2 REPLIES 2
Highlighted

Re: Client credentials location - request body as default option

Hi,

 

This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

 

Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

RFC 6749 § 2.3.1

 

We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

 

In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.

View solution in original post

New Contributor

Re: Client credentials location - request body as default option

Thank you for your comprehensive answer Smiley Happy

New Here?
Join us and watch the welcome video:
Watch the new Interview