Swagger UI should automatically inject Authorization header when JWT is specified.

[cpilson]

Describe the bug

From https://stackoverflow.com/questions/68327095/how-do-i-properly-auth-with-jwt-to-openapi-ui-for-quarkus-smallyre-jwt

The UI doesn’t inject the Authorization header into the cURL command.

Expected behavior

The UI should inject -H “Authorization: <type> <JWT>” into the cURL command.

Actual behavior

CURL happens without a -H ”Authorization…” entry.

How to Reproduce?

1. application.yml:

    …
    smallrye-openapi:
      ...
      jwt-bearer-format: JWT
      jwt-security-scheme-value: Bearer
      security-scheme: jwt

1. Run using the dev profile, head to localhost, pull up the Swagger UI page, put anything into the authentication padlock, click on a secured endpoint, see missing header in CURL and 401 response.

Output of uname -a or ver

No response

Output of java -version

11.0.2 (OpenJDK)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.0.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 6.8.3
------------------------------------------------------------

Build time:   2021-02-22 16:13:28 UTC
Revision:     9e26b4a9ebb910eaa1b8da8ff8575e514bc61c78

Kotlin:       1.4.20
Groovy:       2.5.12
Ant:          Apache Ant(TM) version 1.10.9 compiled on September 27 2020
JVM:          11.0.2 (Oracle Corporation 11.0.2+9)
OS:           Windows 10 10.0 amd64

Additional information

No response

[quarkus-bot]

/cc @MikeEdgar, @phillip-kruger, @sberyozkin

[phillip-kruger]

Hi thanks for this. Do you have a reproducer ?

[cpilson]

Hi thanks for this. Do you have a reproducer ?

(I’m running this through my phone right now, apologies.)

Sorry, as in, another person who has run into this?

[phillip-kruger]

As in a small app you can share that show the error.
(that makes it easier to look into the issue)

[cpilson]

As in a small app you can share that show the error.
(that makes it easier to look into the issue)

Ah, cheers. Let me quickly bang something out and I’ll throw it into GitHub as a public repo. 👍🏻

[phillip-kruger]

Thanks !

[cpilson]

Thanks !

See https://github.com/cpilson/quarkus-smallrye-jwt-issue

I've repro'd just now. The JWT resource code is Sebi's, from Devoxx, so that'll look familiar. :D

[phillip-kruger]

Great ! Thanks. Looking at it now.

[phillip-kruger]

Ok, You still need to indicate what method(s) the security should apply on. Example, adding

@SecurityRequirement(name = "SecurityScheme")

to the helloRolesAllowed method would add the token:

curl -X 'GET' \
  'http://localhost:8080/hello/secure-roles' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer asdfasdfasdf'

You can also name the the SecurityScheme (rather than using the default SecurityScheme) by adding this to application.properties:

quarkus.smallrye-openapi.security-scheme-name=Company Authentication

and then you would change the name in the @SecurityRequirement annotation.

If you do not want to use annotations on the methods, you can create a filter that add the SecurityRequirement to all the methods needed. There is no automatic way to do this a.t.m.

Hope this help.

[cpilson]

Ok, You still need to indicate what method(s) the security should apply on. Example, adding

@SecurityRequirement(name = "SecurityScheme")

to the helloRolesAllowed method would add the token:

curl -X 'GET' \
  'http://localhost:8080/hello/secure-roles' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer asdfasdfasdf'

You can also name the the SecurityScheme (rather than using the default SecurityScheme) by adding this to application.properties:

quarkus.smallrye-openapi.security-scheme-name=Company Authentication

and then you would change the name in the @SecurityRequirement annotation.

If you do not want to use annotations on the methods, you can create a filter that add the SecurityRequirement to all the methods needed. There is no automatic way to do this a.t.m.

Hope this help.

User error? Oh man, I am so sorry about that. :( Thank you so much for looking into it.

[phillip-kruger]

No problem. It's not really a user error. I guess we could try and add a property to auto-add all methods that also have RolesAllowed. Let's keep this open and I can look into that. Basically, if there is only one SecurityScheme, and the auto-add config is enabled, then we do it. The only problem is that the filter has no knowledge of the other annotation on a method, but I think the extension should be able to pass it in.