Migration Issue: Swagger UI Authorization Header missing in Swashbuckle.AspNetCore v10

[anton-kovachev]

What we are wanting to achieve?

We have recently migrated our .NET project to Swashbuckle.AspNetCore 10.1.7 from version 6.6.2 as part of a larger .NET 8 to .NET 10 migration. However, I'm experiencing serious authorization problems with the new version of Swagger UI.

---

Previous Configuration (Pre-Migration)

Before the migration, we had this authentication/authorization setup:

1. OAuth2 Implicit Authorization Scheme

We used an implicit flow to log in and receive the access token.

Authority/Identity Provider Configuration:

public static AuthenticationBuilder AddAuthenticationForClientPortalApi(
    this IServiceCollection services,
    AuthorityConfig authorityConfig, 
    Action<IdentityServerAuthenticationOptions> configureOptions = null)
{
    if (services == null)
        throw new ArgumentNullException(nameof(services));

    return services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = authorityConfig.BaseUrl;
            options.ApiName = authorityConfig.ApiName;
            configureOptions?.Invoke(options);
        });
}

Swagger Security Definition:
We added the oauth2 security definition to receive an access token by submitting credentials on the identity provider's login page.

return services.AddTransient<IConfigureOptions<SwaggerGenOptions>, TSwaggerConfig>()
    .AddSwaggerGen(options =>
    {
        options.DescribeAllParametersInCamelCase();
        options.OperationFilter<SwaggerDefaultValuesFilter>();

        options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
        {
            Type = SecuritySchemeType.OAuth2,
            Flows = authFlow == AuthFlowType.Implicit ? 
                new OpenApiOAuthFlows()
                {
                    Implicit = new OpenApiOAuthFlow()
                    {
                        AuthorizationUrl = new Uri(authorityConfig?.AuthorizationUrl),
                        Scopes = scopes
                    }
                } : 
                new OpenApiOAuthFlows()
                {
                    ClientCredentials = new OpenApiOAuthFlow()
                    {
                        TokenUrl = new Uri(authorityConfig?.AuthorizationUrl),
                        Scopes = scopes 
                    }
                }
        });

        options.OperationFilter<TAuthFilter>();
        options.EnableAnnotations();

        if (maskSchemas)
        {
            options.CustomSchemaIds(type => 
                Convert.ToBase64String(Encoding.UTF8.GetBytes(type?.FullName.ToSha256() ?? ""))
                .Trim('='));
        }
    });

2. Swagger UI Login Flow

This configuration allowed for login using Swagger UI's Authorize button and an implicit redirect to the login page of the identity provider.

3. Request Execution

Executing authorized endpoint requests automatically inserted the Authorization header with the Bearer access token.

---

Post-Migration Issues (.NET 10 / Swashbuckle 10.1.7)

After migrating to the latest Swashbuckle.AspNetCore packages (with only namespace adjustments), the behavior has changed at step 3:

1. Step 1: No changes, works correctly.
2. Step 2: No changes, works correctly.
3. Step 3 (The Issue): When I execute an arbitrary API request using the Swagger UI, a cookie is sent to the API but the Authorization header with a Bearer token is missing.

---

Questions

• How can I configure Swagger UI in version 10.x.x to send the received Bearer tokens in an Authorization header alongside the cookie when executing API endpoint calls, while maintaining the initial OAuth2 implicit flow login?
• Where does Swagger UI store its authorization data after the initial login/unlock of the API page in version 10.x.x?

!NOTE
Sorry, if this was already answered. I didn't manage to find a solution to the problem that targets version 10.. , and the suggestions for previous versions didn't work for me.

[martincostello]

I can come back to look at this in more depth tomorrow if you don't otherwise find an answer, but it sounds like for the second issue you're having are related to the fact that there's a difference in the swagger-ui version we bundle between the two versions (5.17.10 vs 5.32.1).

If that's the case, the answers to your problems are most likely going to be upstream of us in the swagger-ui project, not something that's been a consequence of a change here (other than the swagger-ui version).

For the first question, ensure that you've checked you've made all the changes detailed in the migration guide and checked the updated documentation for security definitions and requirements.

[anton-kovachev]

Hi, thanks for the answer, just to be clear the issue is one: When I execute requests using the Swagger UI only a cookie is sent to the api, but the Bearer token inside an Authorization header that was sent together with the cookie before the Swashbuckle.AspNetCore package update is missing.

Before the Swashbuckle.AspNetCore upgrade 10.1.7 I was seeing this in the network tab

after the upgrade I see this i.e. authorization header is missing

The second follow up question is regarding the same problem because I was searching for way to fetch the access token from the loaded page and append it to the request by registering an interceptor but didn't manage to figure out how to retrieve the access token provided in the initial oauth2 implicit authentication step.

These are the packages I'm currently referencing

 <PackageReference Include="Microsoft.OpenApi" Version="2.4.1" />
 <PackageReference Include="Swashbuckle.AspNetCore" Version="10.1.7" />

[martincostello]

I'm not that familiar with the OAuth setup. We have a test website here for that scenario: https://github.com/domaindrivendev/Swashbuckle.AspNetCore/tree/master/test/WebSites/OAuth2Integration

That might have some hints in it if it's a configuration issue.