Swagger/Swashbuckle OAuth2 Authorizations not set

[danutzplusplus]

I've found an issue and I'm not sure where it stems from. The point where it fails in inside a Swagger js library (swagger-ui-js), but it might either because of a misconfiguration in Swashbuckle, or an actual bug in Swagger (version: v2.1.0-M2).

The issue I found was after upgrading Swashbuckle from 4.x to 5 (in 4.x it worked without a hitch), and it manifests in the following way:
I've a couple of WebAPI services exposed using Swashbuckle, and I've configured them (just the same as I've configured 4.x) to use a local OAuth2 token issuer. I hit the [On/Off] button on a particular service, and start the OAuth2 requests, finalizing with the access_token stored locally in swagger (the [On/Off] button is [On], meaning authentication succeeded).

When I attempt to perform the actual call to the WebAPI service, it breaks locally in the javascript code, in swagger-ui-js, at line nr 900, at the point where it tries to call apply(obj, authorizations) on the reference retrieved from this.authz["oauth2"]

result = value.apply(obj, authorizations); // it breaks here because value is an empty js object, and apply is undefined

I've uploaded a screenshot of the firefox debugger: http://oi61.tinypic.com/2q1wk6e.jpg

I've traced where this.authz[key] is set, and its in the
SwaggerAuthorizations.prototype.add = function (name, auth) {
this.authz[name] = auth;

return auth;
};

I've then traced it, at least I hope I traced it correctly, to:
window.swaggerUi.api.clientAuthorizations.add.apply(window.swaggerUi.api.clientAuthorizations, arguments);
and I noticed arguments is an array, and the "oauth2" key has an empty js object, but I've not been able to find out where that arguments object is populated from.

Anyone else had this issue? Could this be just because of a misconfiguration server-side on my part? I would imagine if this was the case, the OAuth2 flow would break a lot sooner than when trying to perform the actual request with the received bearer token.

Thanks, and I hope someone is able to shed some light on this, and I'm stumped.

[webron]

@danutzplusplus - can you share the Swagger definition you get from Swashbuckle? That would help us debug the problem.

[danutzplusplus]

Hmm, I'm not sure I understand what you mean by Swagger definition. I've deployed Swashbuckle as a nuget package, and only got the dll. I supposed the dll has the static Swagger js/html? I did download the source code of Swashbuckle from github, but there were no Swagger files, just some SwaggerUI custom assets (discoveryUrlSelector.js, swagger-oauth.js, index.html).

EDIT: Or do you mean the Swagger UI js code that I'm getting in the browser?

[webron]

Eventually, Swashbuckle produces a json file that swagger-ui reads and presents. I need that json.

[danutzplusplus]

Can you give me some hints as to how to find that? Should it be locally generated?

[webron]

It should be generated at runtime probably. You can open your browser's web console as you open the ui and see what it loads. It should be the input to the SwaggerUi object (the url parameter). I'm not sure where Swashbuckle hosts it.

[danutzplusplus]

Ok, i've uploaded 3 screenshots I took of the swagger/docs/1 configuration data. I hope this is what you were asking for.
http://oi60.tinypic.com/2zzufm1.jpg
http://oi59.tinypic.com/1539q4k.jpg
http://oi58.tinypic.com/2vmd6dk.jpg

Thanks

[webron]

It looks like it is, but I need the actual JSON. Screenshots are not going to help. I understand it may contain details you don't want to share publicly, but you can email them to me directly (email in profile) if that helps.

[danutzplusplus]

Can I send you the actual json, but with the values i'd like to keep hidden replaced with generic values?

[webron]

Sure, we can try that. I believe the structure would be more important.

[danutzplusplus]

I've just sent you an email with the attached json. I hope it helps. Thanks

[danutzplusplus]

I've debugged the new version of swagger which doesn't work, and the old one which does, and there indeed seems to be a problem with the call to call to window.authorizations.add(oauth2KeyName, new ApiKeyAuthorization('Authorization', 'Bearer ' + b, 'header'));

In the old version the function calls the ApiKeyAuthorization constructor, setting those 3 keys (auth_type,bearer_token,header), while in the new version it runs through
window.ApiKeyAuthorization = function() {
warn('window.ApiKeyAuthorization is deprecated. Please use SwaggerClient.ApiKeyAuthorization.');
SwaggerClient.ApiKeyAuthorization.apply(window, arguments);
};

And in the window.ApiKeyAuthorization the arguments variable is undefined, since those 3 parameters aren't picked up, since window.ApiKeyAuthorization has no parameters in its signature.

Also, in the old version that works, that value.apply which causes the crash in the new one(because value has no apply method set onto it) works perfectly. value has it's value taken from this.authz["oauth2"] which has the proper fields set (the auth type, the bearer token, and most importantly the apply method set on the json)

[webron]

@danutzplusplus - thanks for the investigation. apologies for not getting back to you on this.

[danutzplusplus]

Seems domaindrivendev on Swashbuckle is also able to reproduce this.
domaindrivendev/Swashbuckle.WebApi#267

@webron No worries. I'm just happy people are so nice in investigating this.