Negotiate Authentication on Windows #5168
Comments
|
@plk that's correct, Swagger UI doesn't currently support For now, the best option is what you mentioned - go through your auth flow in your user agent. I'm going to tag this as a feature request so we can track direct support for it in Swagger UI. |
|
I'm surprised as so many companies use this internally now and so many use Windows auth for APIs. I know of dozens of such use cases coming up currently. I can test this if there are any beta releases. |
|
I don't understand @plk's requirement. We are a large enterprise and we do use either SPNEGO or certificate-based authentication. Both are supported with OAS 3.1.0 only. There is nothing Swagger UI can do here, but one thing: don't display authenticate because in both cases the browser will do it for you automatically, you don't have any control over. The padlock should be locked and considered as autologon. |
|
Well, Swagger UI uses curl to send the request for the "Try it Out" functionality so I'm not sure the browser is relevant here? When I looked at the requests coming in, there was no attempt to do SPNEGO from the curl requests generated by Swagger UI and so I would assume that when in OAS 3.1, we specify |
|
??? Swagger does not use curl, it uses the browser to perform the request. Providing the curl request is just convenience. All you need for a complete curl request is |
|
Sorry, I was confused about this. The problem, when I looked at the requests sent by Swagger UI, was that the Negotiate headers were not being sent/responded to for some reason. I couldn't get an NTLM authenticated API to work at all and assumed that this was a missing feature as it wasn't sending/responding in the right way but you are saying that this should work? |
|
I will recheck on Monday and will let you know |
|
Just tried Swagger UI on a non-existing, but constraint endpoint. The response is: ``´ |
|
You are correct, I cannot remember exactly what I saw originally with this but I think this should be closed. Apologies for the confusion. |
|
This should not be closed, but the above case (autologon) should be implemented in Swagger UI. |
|
That would be helpful, yes. I can’t get SPNEGO to work with the UI in Edge or Firefox but it does work with IE, which I suspect was the source of the original confusion. I suspect this is due to corporate browser setup however. |
|
Firefox and Chrome work perfectly. Edge shall work too. It is simply a setup issue with your client. |
Can you please give an example of how did you get it working ? |
You mean in my YAML file? |
Yes, please show the output of the Use case example: domaindrivendev/Swashbuckle.WebApi#340 |
|
Found solution in #5149: to support Kerberos/NTLM with CORS we need to set Here is my solved case with C# code examples.
app.UseSwagger(c =>
{
c.PreSerializeFilters.Add((swaggerDoc, httpRequest) =>
{
// We use just another hostname of own host for development purposes https://othername:port
swaggerDoc.Servers = new List<OpenApiServer> { new OpenApiServer { Url = serverUrl } };
}
});
app.UseSwaggerUI(c =>
{
c.ConfigObject.AdditionalItems.Add("withCredentials", true);
}); |
I see that OAS3 allows for "negotiate" authentication but Swagger-UI seems not to implement this? This is a very common thing in corporate APIs, naturally. Swagger-UI does not do the usual Windows Negotiate header exchange with the "Try It Out" functionality even though identical requests work fine with NTLM/Kerberos negotiated authentication directly in the browser. If there is any way to get this to work, would be interested.
The text was updated successfully, but these errors were encountered: