You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When using Swashbuckle.AspNetCore and specifying a secutiy schema of type SecuritySchemeType.ApiKey, we are able to customize the header used to send the token using the Name property. However this doesn't seem to work when you have an implicit OAuth2 flow as described in the code below. The OAuth flow works fine, but the token is sent to the api over the Authorization header which is not desired.
OpenApi File To Reproduce
Excerpt from the generates OpenAPI document:
Expected behavior
The custom header x-custom-auth-token should be used in place of Authorization
Screenshots/Code Snippets
builder.Services.AddSwaggerGen(options =>{options.AddSecurityDefinition(JwtBearerDefaults.AuthenticationScheme,newOpenApiSecurityScheme{Type=SecuritySchemeType.OAuth2,Scheme=JwtBearerDefaults.AuthenticationScheme,Description="Custom JWT header using the Bearer scheme.",Name="x-custom-auth-token",In=ParameterLocation.Header,Flows=newOpenApiOAuthFlows{Implicit=newOpenApiOAuthFlow(){AuthorizationUrl=newUri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/authorize"),TokenUrl=newUri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/token"),Scopes=newDictionary<string,string>{{"<<Scope>>","Default scope"}}}}});options.AddSecurityRequirement(newOpenApiSecurityRequirement{{newOpenApiSecurityScheme{Name="x-custom-auth-token",Reference=newOpenApiReference{Type=ReferenceType.SecurityScheme,Id=JwtBearerDefaults.AuthenticationScheme}},newstring[]{}}});});app.UseSwaggerUI(options =>{options.OAuthAppName("Testing");options.OAuthClientId("<<ClientID>>");options.OAuthClientSecret("<<ClientSecret>>");options.OAuthUsePkce();});
SwaggerUI doesn't send your bearer token over a custom header because that isn't a supported mechanism. OpenAPI doesn't have the notion of sending OAuth2 bearer tokens anywhere other than via the Authorization header with a bearer scheme. That's how OAuth2 is defined.
You can do OAuth2, or you can do ApiKey. There is no support in OpenAPI for a combination of the two.
I think the fact that in the debugger the OpenApiSecurityScheme shows "in: header" is just an artifact of it being the default value but is not used when the type is OAuth2.
Describe the bug
When using
Swashbuckle.AspNetCore
and specifying a secutiy schema of typeSecuritySchemeType.ApiKey
, we are able to customize the header used to send the token using the Name property. However this doesn't seem to work when you have an implicit OAuth2 flow as described in the code below. The OAuth flow works fine, but the token is sent to the api over the Authorization header which is not desired.OpenApi File To Reproduce
Excerpt from the generates OpenAPI document:
Expected behavior
The custom header
x-custom-auth-token
should be used in place of AuthorizationScreenshots/Code Snippets
Additional context
This issue was originally raised here: domaindrivendev/Swashbuckle.AspNetCore#3138. Investigation by @martincostello shows that the header isn't in the OpenAPI document, but it's on the
OpenApiDocument
in memory.The text was updated successfully, but these errors were encountered: