Getting AzureAD implicit flow working with Swagger

2019-08-29 09:07发布

问题:

As an exercise, I have been attempting to create a swagger configuration that can invoke the Azure Management API, and to run this from the online swagger editor.

I have configured it to use implicit authentication, and it almost works, but I just cannot get the Azure Framework to recognize the swagger editor as a valid redirect URL.


Here is all the steps I have taken. Can anyone spot what I'm doing wrong?


Using the Azure AD portal, I create a new Azure AD Application

In the application registration's Reply URL's, I added https://editor.swagger.io/oauth2-redirect.html

I created the following security entries in my Swagger 2.0 document:

securityDefinitions:
  azureTokenAuthentication:
    flow: implicit
    authorizationUrl: https://login.microsoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize
    scopes:
      https://management.azure.com: Accessing the Azure API
    type: oauth2
security:
- azureTokenAuthentication:
  - https://management.azure.com

(The redacted GUID is my tenant id).

Now, when I click on the "Authorization" button, swagger opens up a dialog for me:

So I enter the application ID and click authorize. It then sends me to the logon URL with the following parameters:

  • response_type: token
  • client_id: eb482fb2-8229-434e-b5a6-9fc3e0f06968
  • redirect_uri: https://editor.swagger.io/oauth2-redirect.html
  • scope: https://management.azure.com
  • state: <Base64 string>Wed Mar 13 2019 09:16:06 GMT+1000 (Australian Eastern Standard Time)

Note that the redirect uri matches the value I entered in the app registration.

So I enter my username and password, and then the URL gets redirected to the following:

https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+a+URI+which+matches+a+redirect+URI+registered+for+this+client+application.&state=rQIIAdNiNtQztFJJTTKxMEpLMtK1MDKy1DUxNknVTTJNNNO1TEs2TjVIMzCzNLMoEuISWF1yo3vvud0Ozb9b9Z66bQ-cxcgZn5NZlqqXnJ-7ilEvo6SkoNhKXz81JbMkv0ivuDwxPT21SC8zXz8_sbQkw0i3CChTlJpcAlSZm7ODkfECI-MLRsZbTPz-jiB5EJFflFmVOos5JswoLNvT1TAjOdOxwrfSsdLXxdXU08XR1D_L1cg_y9HI0zXFL8y5uMLXxbHc0znDKSXCzyA51604Mdyt1NM1LCPZOCgnOdckPdQ4KCMpNygjOTcwPcw9pyQqONt2E7NKSqqpuZGhmZGuabJ5iq6JRVqSrmWSqaGuubmlabKpeaKZqWXyKWYZmI9yE_MS01NzU_NK9BKrSovAHr7BzHiBhfEVC48BsxUHB5cAgwSDAsMPFsZFrMCQmrTR22we8wzHyc1Bd633_2M4xapfku7mkeJk5qxfkpOb7lcUXB5SmOZb7Jef7l-c526UmVUQqV_q5Zzh4uzma2tkZTiBTeYDG2MHO8MuThID9haXiJGBoaWugbGuoZGCkbGVoZmVgXkUAA2

The interesting text I glean from this is:

The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

But it DOES match! What am I doing wrong?!?

回答1:

First of all, I changed the authorization URL from https://login.microsoft.com/<tenant-id>/oauth2/authorize to https://login.microsoft.com/<tenant-id>/oauth2/v2.0/authorize

I then had to follow these instructions, and directly modify the application manifest to allow implicit flow:

Then I changed the scopes. I could not get management.azure.com running, but I could get https://graph.windows.net by appending /.default to the scope. (https://graph.windows.net/.default).

That got me another step further. Now it redirected to the Authorization URL, and Microsoft authenticated me, generated a token for me, and redirected my browser to https://editor.swagger.io/oauth2-redirect.html

Then I was thwarted, when I realised that editor.swagger.io does not actually handle the path it's redirecting the browser to. (The file outh2-redirect.html exists on GitHub here: https://github.com/swagger-api/swagger-ui/blob/master/dist/oauth2-redirect.html)

That's when I gave up.



回答2:

reply url = "your web api's swagger page url" concatenated with "/oauth2-redirect.html"

example: https://localhost:44329/swagger/oauth2-redirect.html

configure that for each environment in your app registration including your localhost.