Authorization doesn't work with empty oauth2 scopes

[thomasmey]

When reporting a bug, please provide the following details:

• swagger-ui version
  767a37c

• a swagger file reproducing the issue
  use a swagger.json with empty oauth2 scopes like this:

  "securityDefinitions" : {
  "oauth2scheme" : {
  "type" : "oauth2",
  "authorizationUrl" : "https://url/to/authorize",
  "tokenUrl" : "https://url/to/token",
  "flow" : "implicit",
  "scopes" : { }
  }

validation of model will always fail, because the validate function doesn't cope with empty scopes array.

bug or feature?

maybe do something like this instead:

validate: function () {
    var valid = false;
    var scp = this.get('scopes');
    var idx =  _.findIndex(scp, function (o) {
       return o.checked === true;
    });
    if(scp.length > 0 && idx >= 0) {
        valid = true;
    }
    if(scp.length == 0) {
        valid = true;
    }
    this.set('valid', valid);
    return valid;
}

[sqdk]

Sounds like a duplicate of #1329

[bodnia]

As per spec property scopes is marked as required and represents

available scopes for the OAuth2 security scheme.

@webron @fehguy could you please confirm that it should be optional when authorize?

[sqdk]

As per: https://tools.ietf.org/html/rfc6749#section-3.3:

If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Not passing a scope should be allowed.

Scopes should be always be present in the swagger specification, but it should be possible to let it be empty, indicating that the server must apply the default oauth scope.

From what i know, this is a bug in the UI code, not in the spec. See PRs.

[bodnia]

@webron could you please merge PR #2176 it works ok.

[webron]

Closed via #2176.