Merge pull request #1405 from lurumad/feature/pkce

Add support to PKCE for SwaggerUI & update OAuth2Integration sample #999

Author: domaindrivendev

package-lock.json

@@ -200,5 +200,10 @@ public class OAuthConfigObject
         /// (Authorization header with Basic base64encode(client_id + client_secret))
         /// </summary>
         public bool UseBasicAuthenticationWithAccessCodeGrant { get; set; } = false;
+
+        /// <summary>
+        /// Enabled to use PKCE with the Autorization Code flow.
+        /// </summary>
+        public bool UsePkceWithAuthorizationCodeGrant { get; set; } = false;
     }
 }

src/Swashbuckle.AspNetCore.SwaggerUI/SwaggerUIOptions.cs

@@ -257,5 +257,14 @@ public static void OAuthUseBasicAuthenticationWithAccessCodeGrant(this SwaggerUI
         {
             options.OAuthConfigObject.UseBasicAuthenticationWithAccessCodeGrant = true;
         }
+
+        /// <summary>
+        /// Enabled to use PKCE with the Autorization Code flow.
+        /// </summary>
+        /// <param name="options"></param>
+        public static void OAuthUsePkce(this SwaggerUIOptions options)
+        {
+            options.OAuthConfigObject.UsePkceWithAuthorizationCodeGrant = true;
+        }
     }
 }

src/Swashbuckle.AspNetCore.SwaggerUI/SwaggerUIOptionsExtensions.cs

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "private": true,
   "dependencies": {
-    "swagger-ui-dist": "3.24.0"
+    "swagger-ui-dist": "3.24.3"
   }
 }

src/Swashbuckle.AspNetCore.SwaggerUI/package-lock.json

@@ -10,16 +10,38 @@ internal static IEnumerable<Client> Clients()
         {
             yield return new Client
             {
-                AllowAccessTokensViaBrowser = true,
-                AllowedGrantTypes = GrantTypes.Implicit,
-                AllowedScopes = new[] { "readAccess", "writeAccess" },
                 ClientId = "test-id",
-                ClientName = "test-app",
-                ClientSecrets = new[] { new Secret("test-secret".Sha256()) },
+                ClientName = "Interactive client (Code with PKCE)",
+
                 RedirectUris = new[] {
                     "http://localhost:55202/resource-server/swagger/oauth2-redirect.html", // IIS Express
                     "http://localhost:5000/resource-server/swagger/oauth2-redirect.html", // Kestrel
-                }
+                },
+
+                RequireClientSecret = false,
+                RequireConsent = true,
+
+                AllowedGrantTypes = GrantTypes.Code,
+                RequirePkce = true,
+                AllowedScopes = new[] { "readAccess", "writeAccess" },
+            };
+
+            yield return new Client
+            {
+                ClientId = "test-id.confidential",
+                ClientName = "Interactive client (Code with PKCE)",
+
+                RedirectUris = new[] {
+                    "http://localhost:55202/resource-server/swagger/oauth2-redirect.html", // IIS Express
+                    "http://localhost:5000/resource-server/swagger/oauth2-redirect.html", // Kestrel
+                },
+
+                ClientSecrets = { new Secret("test-secret".Sha256()) },
+                RequireConsent = true,
+
+                AllowedGrantTypes = GrantTypes.Code,
+                RequirePkce = true,
+                AllowedScopes = new[] { "readAccess", "writeAccess" },
             };
         }
 

src/Swashbuckle.AspNetCore.SwaggerUI/package.json

@@ -60,9 +60,10 @@ public void ConfigureServices(IServiceCollection services)
                     Type = SecuritySchemeType.OAuth2,
                     Flows = new OpenApiOAuthFlows
                     {
-                        Implicit = new OpenApiOAuthFlow
+                        AuthorizationCode = new OpenApiOAuthFlow
                         {
                             AuthorizationUrl = new Uri("/auth-server/connect/authorize", UriKind.Relative),
+                            TokenUrl = new Uri("/auth-server/connect/token", UriKind.Relative),
                             Scopes = new Dictionary<string, string>
                             {
                                 { "readAccess", "Access read operations" },
@@ -128,15 +129,12 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 resourceServer.UseSwaggerUI(c =>
                 {
                     c.SwaggerEndpoint("/resource-server/swagger/v1/swagger.json", "My API V1");
-
                     // Additional OAuth settings (See https://github.com/swagger-api/swagger-ui/blob/v3.10.0/docs/usage/oauth2.md)
-                    c.OAuthClientId("test-id");
+                    c.OAuthClientId("test-id.confidential");
                     c.OAuthClientSecret("test-secret");
-                    c.OAuthRealm("test-realm");
                     c.OAuthAppName("test-app");
                     c.OAuthScopeSeparator(" ");
-                    c.OAuthAdditionalQueryStringParams(new Dictionary<string, string> { { "foo", "bar" }});
-                    c.OAuthUseBasicAuthenticationWithAccessCodeGrant();
+                    c.OAuthUsePkce();
                     c.ConfigObject.DeepLinking = true;
                 });
             });