Comments (4)
I stumbled over this issue in context of Microsoft Entry ID, too.
The client_id
and client_secret
are not passed as form parameters. Instead the Authorization
header is used. This is genereally also supported by Microsoft:
The client_secret
parameter documentation mentions:
The Basic auth pattern of instead providing credentials in the Authorization header, per RFC 6749 is also supported.
The true cause of this issue seems to be that Microsoft seems to have stopped support for the client_credentials
flow to be called from a website.
You can confirm this by trying out the following curl requests:
Token request without origin header
> curl https://login.microsoftonline.com/${YOUR_TANENT_ID}/oauth2/v2.0/token \
-d 'grant_type=client_credentials' \
-d "scope=${YOUR_CLIENT_ID}/.default" \
-d "client_id=${YOUR_CLIENT_ID}" \
-d "client_secret=${YOUR_CLIENT_SECRET}"
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"...your_token..."}
Token request with origin header like a request would be issued in a browser
> curl -v https://login.microsoftonline.com/${YOUR_TANENT_ID}/oauth2/v2.0/token \
-H 'Origin: http://localhost:8080' \
-d 'grant_type=client_credentials' \
-d "scope=${YOUR_CLIENT_ID}/.default" \
-d "client_id=${YOUR_CLIENT_ID}" \
-d "client_secret=${YOUR_CLIENT_SECRET}"
[...]
< HTTP/2 400
[...]
{"error":"invalid_request","error_description":"AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'http://localhost:8080'. Trace ID: [...] Correlation ID: [...] Timestamp: [...]","error_codes":[9002326],"timestamp":"[...]","trace_id":"[...]","correlation_id":"[...]","error_uri":"https://login.microsoftonline.com/error?code=9002326"}
I don't think this issue can be solved by swagger-ui. Microsoft would need to enable support for client_credentials
flow from browsers again.
from swagger-ui.
Hi @PSanetra thank you for adding your findings. Nice work figuring out that Origin header is the issue!
I wonder if there is some magic value of the Origin header which it will accept?
I don't think this issue can be solved by swagger-ui.
I agree it's not a Swagger UI issue.
Microsoft would need to enable support for client_credentials flow from browsers again.
I wonder if there is some config in our Entra ID App Registration's manifest which would allow this?
from swagger-ui.
@mattfrear good question if there is some configuration option for this. I would be interested too.
For now I will go with simple Authorization header with Bearer scheme in swagger ui and show some description how to get the client_credentials token via curl as a workaround.
from swagger-ui.
Closing this because it's not a Swagger UI issue, it's caused by Entra ID rejecting client_credentials
requests which have an Origin header.
from swagger-ui.
Related Issues (20)
- Resolver error: Could not resolve reference: Could not resolve pointer:
- Swagger UI not showing on vercel? I have a solution here it is HOT 1
- Only first path parameter is replaced in "Try it out" HOT 4
- ramda-adjunct tried to access ramda HOT 5
- Addition of audience parameter to oauth config
- OpenAPI 3.1.: examples in webhooks are being overwritten by the examples in schema HOT 4
- [OpenAPI 3.1] Example value is not generated for nested objects that are referenced via allOf HOT 11
- Add missing default configuration options HOT 6
- CSS source map is broken HOT 1
- operation level server override option always appears for OAS 3.1 specification HOT 2
- No name property is assigned to "Server" Combobox.
- 5.17.12
- Add a dark mode for the page
- swagger-ui-react: spec does not update on prop change and resets to default on page refresh HOT 1
- Path Parameter is not being passed through Request URL and Curl Command.
- UI css scrambled
- Ensures the contrast between foreground and background colors meets WCAG 2 AA minimum contrast ratio thresholds (.btn-primary)
- Swagger-UI DownloadURL autocomplete
- Resolver error at $ref Could not resolve reference: JSON Pointer evaluation failed while evaluating token "paths" against an unexpected Element
- Idk
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from swagger-ui.