OAuth2 flow not completing

[lucian303]

I have the following config:

securityDefinitions:
  oauth2:
    type: oauth2
    flow: accessCode
    description: OAuth2 Security
    tokenUrl: "https://myserver.com/token"
    authorizationUrl: "https://myserver.com/authorize"
    scopes:
      read: Read data.

The URLs are valid. When I click the On/Off switch, I get asked for the scope. I pick the only scope we have and click 'Authorize.' I get redirected to my oAuth login where I log in with valid credentials. I get redirected back to o2c.html with the proper oAuth code. That code calls window.opener.processOAuthCode(qp); then closes the window. Swagger UI then calls the /token endpoint but doesn't provide the client secret. This is where the flow fails.

Which I suppose is to be expected because this block in index.html makes no sense:

            initOAuth({
              clientId: "swagger",
              realm: "your-realms",
              appName: "your-app-name"
            });

The clientId is correct and it's set up correctly to redirect back to o2c.html. I have no idea what realm and appName are supposed to be or how they'd relate to oAuth in this case. I also tried using the implicit oAuth flow but had no luck with that as I don't think our server supports it.

So my questions:

1. Can I authenticate with oAuth2 and if so what needs to be done to make the flow finish properly?
2. Even when manually adding the appropriate Authorization header in the JS using swaggerUi.api.clientAuthorizations.add("key", new SwaggerClient.ApiKeyAuthorization("Authorization", "Bearer some_hash_here", "header")); the API fails to make the call with this header. It's displayed in the curl call which works perfectly using curl so it's not an issue with the API itself but swagger. This is my fallback position for allowing testing of the oAuth2 API if Added regex to replace / with _ in resource name #1 above doesn't work, assuming that swagger-ui can be made to actually send the headers properly.

[webron]

Which version of the UI do you use?

[lucian303]

I'm on 2.1.1 (master). As a further update to this, I dug in and found out that this was failing during the /token endpoint request because it was not sending in the expected client_secret parameter to the endpoint. When I add that manually in, it works fine. As far as I know the /token endpoint requires both the client and secret. Am I wrong?

If it helps, my swagger installation is at: https://omtdev.unifiedcompliance.com:8500

[ankon]

This looks much related to #1324 - adding the client secret does fix the issue (PR upcoming if no one beats me to it :) )

[lucian303]

@ankon Yes, it is the same issue / fix.