authorization header didn't exist in requests

[okosiuta]

Hi,
I tried to add the bearer token to all my swagger's UI requests in the next way:

@Bean
    public OpenAPI customOpenAPI() {
        return new OpenAPI().components(new Components()
                .addSecuritySchemes("BEARER KEY", new SecurityScheme().type(SecurityScheme.Type.HTTP)
                        .scheme("bearer").in(SecurityScheme.In.HEADER)));
    }

Then after my application started I pass the bearer token into an authentication form with swagger UI:

Actual result:

curl -X GET "http://localhost:8080/api/v1/contacts/employees?query=name" -H "accept: */*"

Bearer token didn't exist in the request.

Expected result:

curl -X GET "http://localhost:8080/api/v1/contacts/employees?query=name" -H "accept: */*" -H "Authorization: Bearer ***********"

Bearer token exists in the request.

Could you please clarify, what I'm doing wrong?
Thank you!

Hi,

You should add the @securityrequirement tags to your protected APIs.
For example:

@Operation(security = { @SecurityRequirement(name = "bearer-key") })

And the security definition sample:

@Bean
 public OpenAPI customOpenAPI() {
   return new OpenAPI().components(new Components().addSecuritySchemes("bearer-key",
     new SecurityScheme().type(SecurityScheme.Type.HTTP).scheme("bearer").bearerFormat("JWT")));
}

[MugdhaB]

Extending the question. What if the authentication method applies to all the APIs? Is there a way to say that the scheme applies to all the APIs?

[ricoatapex]

I'm running into this exact issue, and even adding the "SecurityRequirement" and "SecurityScheme" above, it's not sending the "authorization" field in the header. Does anyone have the full code definition for this? This is what I'm using, very straightforward, on my operation (after declaring the Security Schemes in "customOpenAPI"

@operation(
security={ @securityrequirement(name="bearerToken") },
parameters={
@parameter(
name="authorization",
in=ParameterIn.HEADER,
required=true
)
)
@GetMapping(value="/someFunctionCall")
public ResponseEntity<?> someFunctionCall(String authorization) {
return adminService.someFunctionCall(null);
}

[vladimirevterev]

Hi, @MugdhaB

use addSecurityItem method of global OpenAPI config bean to set SecurityRequirement globally

[q23qweliuhan]

I'm running into this exact issue, and even adding the "SecurityRequirement" and "SecurityScheme" above, it's not sending the "authorization" field in the header. Does anyone have the full code definition for this? This is what I'm using, very straightforward, on my operation (after declaring the Security Schemes in "customOpenAPI"

@operation(
security={ @securityrequirement(name="bearerToken") },
parameters={
@parameter(
name="authorization",
in=ParameterIn.HEADER,
required=true
)
)
@GetMapping(value="/someFunctionCall")
public ResponseEntity<?> someFunctionCall(String authorization) {
return adminService.someFunctionCall(null);
}

I've run into the same issue, do you maybe found the solution already?

[bnasslahsen]

@q23qweliuhan,

The behaviour you are describing is not related to springdoc-openapi. But to swagger-ui:
swagger-api/swagger-ui#5715

The OpenAPI 3 specification does not allow explicitly adding Authorization header. For more information, please read:

Note: Header parameters named Accept, Content-Type and Authorization are not allowed. To describe these headers

https://swagger.io/docs/specification/describing-parameters/#header-parameters.

[q23qweliuhan]

Hi @bnasslahsen,

Thanks for your reply!
I've changed it as below now:
@Operation(summary = "User logout - remove JWT from whitelist", security = {@SecurityRequirement(name = "bearer-key")})
public ResponseEntity logout(@RequestHeader(name = "Authorization") String authorization)
With these, I can get the token from the security now.

However, in the created api-docs, it still contains the Authorization as header parameters, also shown on the swagger ui.

Any idea what is causing this?

[bnasslahsen]

@okosiuta,

You can hide it using @Parameter(hidden = true)

@Operation(summary = "User logout - remove JWT from whitelist",security = { @SecurityRequirement(name = "bearer-key") })
public String logout(@Parameter(hidden = true) @RequestHeader(name = "Authorization") String authorization) {...}

If it makes sense, we might ignore Authorization as header parameters from the generated api-docs by default, on springdoc-openapi.
If you think its releavant, you can create a feature request for that.

[q23qweliuhan]

@Parameter(hidden = true)

I see, thanks!