I am trying to use the ServiceStack.Api.OpenApi.OpenApiFeature , now that we have migrated to ServiceStack 5.5.
We want to set it up so that we can let the user Authorize using 3 of the 4 supported methods of OAuth2.0. Which are “AuthorizationCode” grant, “Client Credentials” grant and “Resource Owner Password” grant (we don’t support “Implicit” grant.
Here is how I have defined these three security definitions:
Plugins.Add(new OpenApiFeature
{
UseBasicSecurity = false,
UseBearerSecurity = true,
SecurityDefinitions = new Dictionary<string, OpenApiSecuritySchema>
{
{
"oAuth2AuthCode",
new OpenApiSecuritySchema
{
Type = "oauth2", Flow = "accessCode", AuthorizationUrl = "/api/auth", TokenUrl = "/api/token",
Description = "Delegated authorization",
Scopes = allUserAccountScopes
}
},
{
"oAuth2ClientCredentials",
new OpenApiSecuritySchema
{
Type = "oauth2", Flow = "application", TokenUrl = "/api/token",
Description = "Direct Authorization for client applications",
Scopes = allClientApplicationScopes
}
},
{
"oAuth2Password",
new OpenApiSecuritySchema
{
Type = "oauth2", Flow = "password", TokenUrl = "/api/token",
Description = "Direct authorization for user accounts",
Scopes = allUserAccountScopes
}
}
},
});
According to the Swagger 2.0 specs I have all these security definitions defined correctly.
However, when the Swagger_UI is presented the UI for the the first type “Authorization Code” grant type, there is no where to collect the “client_id” or “client_secret” from the UI. Like there is in the other two grant types.
This grant type requires the
client_id and client_secret to authenticate the call.
I found this post on Swagger UI, that seems to indicate that perhaps the OpenApiFeature needs to do more to support this scenario.
How do I get this working correctly?