Ask a Question

Client credentials location - request body as default option

SOLVED
dwiekropki
New Contributor

Client credentials location - request body as default option

Hi!
Is there any possibility to set 'Request body' option as default one in authorization modal?

2 REPLIES 2
kyleshockey
SmartBear Alumni (Retired)

Hi,

 

This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

 

Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

RFC 6749 § 2.3.1

 

We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

 

In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.

Thank you for your comprehensive answer 🙂

cancel
Showing results for 
Search instead for 
Did you mean: