Implement Authentications for Swagger 2.0

[avianey]

In the swagger-ui default index.html page, it would be great if we can switch to/from the defaut api_key input text field to username/passwaord inputs to allow basic auth. It's only possibile to use ApiKeyAuthorization. A <select> would be great to switch between ApiKeyAuthorization and PasswordAuthorization with something like this :

$('#input_username, #input_password').change(function() {
      var username = $('#input_username')[0].value;
      var password = $('#input_password')[0].value;
      if(username && username.trim() != "" && password && password.trim() != "") {
        window.authorizations.add("key", new PasswordAuthorization("basic_auth", username, password));
      }
    })

[fehguy]

We'll be letting the spec determine what security definitions are supported, and the UI will reflect it in 2.1.0-M1.

[avianey]

👍

[fehguy]

Moving to M2

[mohsen1]

We can keep the header the way it is and detect a colon in the field. If that's present we use that for basic auth. (username:password)
The limitation is, if an API key has colon in it it will get treated as basic auth.

What do you think @fehguy

[fehguy]

I think we hit this up over IRC, but my preference is as follows:

• for each securityDefinition render a login button in place of the key text edit box
• for each type of securityDefinition, render a different button style. The types (off the top of my head) are:
  • basic auth
  • api key
  • oauth (3 flows)
• when clicking any of the buttons, the appropriate authentication form is presented. For oauth, it'd look like this:

After applying, the window.swaggerUi.authorizations will be updated.

[jahlborn]

I'm confused by the comments here. The original issue seems to request basic auth for downloading the swagger spec (which we would definitely like to have). but the comments seems to imply determining the security available based on the swagger spec (which wouldn't yet be available)... am i misunderstanding something?

[joerocklin]

Seems like this keeps getting kicked down the road. Is anyone working on this at all?
I've been able to modify the index.html (in the released v2.1.3) to use the Authorization header, but it seems to only apply to all of the paths which do not have a security section defined - the opposite of what I would expect. (The online swagger editor seems to have the correct behavior).

Edit to add: I managed to get things working without changing much. It seems that either I misunderstood the documentation or the documentation needs a little improvement. I'll see if I can find some way of describing the pieces that finally clicked in place for me to understand what needed to be done.

[fehguy]

See 2.2.1, this is now all dynamic.