Enabling Client Credentials Authorisation for SwaggerUI

[drwharris]

I am using NSwag.AspNetCore v14.0.3 have followed this to help me setup Authorisation using Client Credentials flow

This is what my code looks like:

services.AddOpenApiDocument(document =>
{
	var securitySchemeName = "OAuth";
	document.UseControllerSummaryAsTagDescription = true;
	document.AddSecurity(securitySchemeName, Enumerable.Empty<string>(), new OpenApiSecurityScheme
	{
		Type = OpenApiSecuritySchemeType.OAuth2,
		Flows = new OpenApiOAuthFlows()
		{
			ClientCredentials = new OpenApiOAuthFlow()
			{
				TokenUrl = "https://***.b2clogin.com/***.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signup_signin"
			}
		}
	});

	document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor(securitySchemeName));
	document.DocumentName = "API Name";
	document.Title = "System Name";
	document.Version = "1.0.0";
});

app.UseSwaggerUi(config =>
{
	config.EnableTryItOut = true;
	config.WithCredentials = true;
	config.OAuth2Client = new OAuth2ClientSettings
	{
		ClientId = "<Enter your Client ID>",
	};
	config.Path = "/api";
	config.SwaggerRoutes.Add(item: new SwaggerUiRoute(name: "All APIs", url: "api/specificationAll.json"));
});

When I use and click the "Authorize" button, I am presented this

When I fill out a clientid and secret and click the authorize button I get a 400

And if I have a look at the payload I can see that it most definitely is missing

It should show as a minimum

grant_type: client_credentials
client_id: ***
client_secret: ***

Am I missing something? Is this not possible?

[drwharris]

Is anyone able to confirm if this SHOULD work?

[CamIliff]

Using Fiddler, I found that the request to the token Url was using an "OPTIONS" verb. Not sure yet how to make it POST and with correct content.

OPTIONS https://identity.dev.local:5109/connect/token HTTP/1.1 Host: identity.dev.apollok12.com:5109 Connection: keep-alive Accept: */* Access-Control-Request-Method: POST Access-Control-Request-Headers: authorization,x-requested-with Origin: https://api.dev.local:5122 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://api.dev.local:5122/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

[ocigja]

This is an example of how eneable Oauth2 authentification on SwaggerUI, using .net 9 and open api 3, with Azure Entra ID :

using NSwag;
using NSwag.Generation.Processors.Security;
using Microsoft.AspNetCore.Builder;

public void AddApiDocumentation(IServiceCollection services)
{
  services.AddOpenApiDocument(document =>
  {
      document.AddSecurity("OAuth2", Enumerable.Empty<string>(), new OpenApiSecurityScheme
      {
          Type = OpenApiSecuritySchemeType.OAuth2,
          Description = "OAuth2 - authentification via Azure AD App Registration",                 
          Flows = new OpenApiOAuthFlows()
          {
              AuthorizationCode = new OpenApiOAuthFlow()
              {
                  AuthorizationUrl = "https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/authorize",
                  TokenUrl = "https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/token",
                  Scopes = {
                      { "<clientId>/scope1", "description" },
                      { "<clientId>/App.Read", "another scope" },
                  } ,
              }
          }
      });            
      
      document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("OAuth2"));
  });
}
  
public virtual void UseApiDocumentation(IApplicationBuilder app)
{
  app.UseOpenApi();
  app.UseSwaggerUi(settings =>
  {
      settings.OAuth2Client = new NSwag.AspNetCore.OAuth2ClientSettings
      {
          ClientId = <clientId>, //app registration Identity specific for swagger
          ClientSecret = "", // no secret
          UsePkceWithAuthorizationCodeGrant = true,
      };
  });
}

// Then in your program.cs

var builder = WebApplication.CreateBuilder(args);
//...
AddApiDocumentation(builder.Services);


var app = builder.Build();
if (app.Environment.IsDevelopment())
{
    UseApiDocumentation(app);
}

More useful information on how to full setup (using AzureAD) on this video : https://www.youtube.com/watch?v=0S0aspQAxrc