Skip to content

Out of spec HTTP authorization scheme seems accepted (Basic). #5965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shotwn opened this issue Apr 15, 2020 · 3 comments
Closed

Out of spec HTTP authorization scheme seems accepted (Basic). #5965

shotwn opened this issue Apr 15, 2020 · 3 comments
Labels
cat: try-it-out specification: 3.x type: bug

Comments

@shotwn
Copy link

shotwn commented Apr 15, 2020

Q&A (please complete the following information)

  • OS: Windows 10
  • Browser: Google Chrome
  • Version: 80
  • Method of installation: CDN (unpkg.com)
  • Swagger-UI version: 3.25.0
  • Swagger/OpenAPI version: OpenAPI 3.0

Content & configuration

Example Swagger/OpenAPI definition:

  securitySchemes:
    basicAuth:
      type: http
      description: 'lalala.'
      scheme: Basic

Describe the bug you're encountering

I had a typo. scheme field on the HTTP auth was Basic instead of basic.

But even with this typo all UI features seemed to work okay. I was able to click authorize and enter my credentials. Only for them to not being send on request.

And actually on available authorizations modal, authorization method is depicted as basicAuth (http, Basic) with capital B. As how it would be depicted in many other places.

This causes confusion as everything seems fine but authorization headers are not send on try it out requests. Since many issues about authorization headers seem to point at CORS issues, whole situation causes a witch hunt over a simple typo.

Expected behavior

When authorization scheme value is wrong (Basic instead of basic) do not show (http, Basic) authorization in available authorizations modal.

Or better show a warning about an unsupported authorization method.
@hkosova
Copy link
Contributor

hkosova commented Apr 16, 2020
edited
Loading

scheme is case-insensitive, so both scheme: basic and scheme: Basic should work. The fact that scheme: Basic does not work is a bug.

Note to developers:
There was PR swagger-api/swagger-js#1473 attempting to address this but it was declined because of lack of tests.

@hkosova
Copy link
Contributor

hkosova commented May 13, 2020

New PR: swagger-api/swagger-js#1531

char0n added a commit to swagger-api/swagger-js that referenced this issue Jun 18, 2020
@char0n
fix(scheme): make scheme comparison case insensitive
c1e82a9 
As per RFC7235 auth scheme is case insensitive.

2.1. Challenge and Response

HTTP provides a simple challenge-response authentication framework
that can be used by a server to challenge a client request and by a
client to provide authentication information. It uses a case-
insensitive token as a means to identify the authentication scheme,
followed by additional information necessary for achieving.

https://tools.ietf.org/html/rfc7235#section-2.1

Refs #1531, #1473
Refs OAI/OpenAPI-Specification#1876
Refs swagger-api/swagger-ui#5965
@char0n char0n mentioned this issue Jun 18, 2020
Merged
10 tasks
char0n added a commit to swagger-api/swagger-js that referenced this issue Jun 18, 2020
@char0n
fix(scheme): make scheme comparison case insensitive
1d25d15 
As per RFC7235 auth scheme is case insensitive.

2.1. Challenge and Response

HTTP provides a simple challenge-response authentication framework
that can be used by a server to challenge a client request and by a
client to provide authentication information. It uses a case-
insensitive token as a means to identify the authentication scheme,
followed by additional information necessary for achieving.

https://tools.ietf.org/html/rfc7235#section-2.1

Refs #1531, #1473
Refs OAI/OpenAPI-Specification#1876
Refs swagger-api/swagger-ui#5965
char0n added a commit to swagger-api/swagger-js that referenced this issue Jun 18, 2020
@char0n
fix(scheme): make scheme comparison case insensitive (#1562)
79fd3d7 
As per RFC7235 auth scheme is case insensitive.

2.1. Challenge and Response

HTTP provides a simple challenge-response authentication framework
that can be used by a server to challenge a client request and by a
client to provide authentication information. It uses a case-
insensitive token as a means to identify the authentication scheme,
followed by additional information necessary for achieving.

https://tools.ietf.org/html/rfc7235#section-2.1

Co-authored-by: Helen Kosova <[email protected]>

Refs #1531, #1473
Refs OAI/OpenAPI-Specification#1876
Refs swagger-api/swagger-ui#5965
@hkosova
Copy link
Contributor

hkosova commented Jun 18, 2020

🎉 Fixed in Swagger UI 3.27.0, Swagger Editor 3.11.4, swagger-client 3.10.8.

@hkosova hkosova closed this as completed Jun 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat: try-it-out specification: 3.x type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shotwn @hkosova