Description
Q&A (please complete the following information)
- OS: win
- Browser: chrome
- Version: 94
- Method of installation: Integrated via NSwag
- Swagger-UI version: 3.48.0
- Swagger/OpenAPI version: OpenAPI 3.0
Content & configuration
initOAuth called with a list of scopes (introduced in #6037)
Example Swagger/OpenAPI definition:
{
"password": {
"type": "oauth2",
"description": "Username / Password Logon",
"flows": {
"password": {
"tokenUrl": "Token"
}
}
},
"oauth": {
"type": "oauth2",
"description": "oAuth Logon",
"flows": {
"implicit": {
"authorizationUrl": "https://login.domain.com/connect/authorize",
"tokenUrl": "https://login.domain.com/connect/token",
"scopes": {
"openid": "openid",
"profile": "profile",
"email": "email",
"role": "role"
}
}
}
}
}Describe the bug you're encountering
We have a mixed setup of different ways to authorize with our API. Local auth using username + password against a Token Endpoint on the API itself and an oAuth based login handled via an external openid server.
As can be seen, the oauth flow requires a few scopes, while the local implementation does not.
Now, when initOAuth is initialized with a list of scopes (in order to pre-select those scopes in the Authorize-Dialog), these scopes are set into the state.
See this line:
This leads to problems, when the security scheme without scopes is used, because the scopes are actually sent along with the request which does not define any scopes at all. The UI does also not allow to select scopes.
To reproduce...
See description, everything's there
Expected behavior
No scopes are sent for security definitions, which do not support scopes. Or better said, only those are sent, which are actually supported.