JWT Authentication and Swagger with .NET Core 3.0
After some research, I eventually found the answer here
Before seeing this page, I knew that I should use AddSecurityRequirement
after AddSecurityDefinition
because of many samples, but it was a problem that the function parameters have changed on .NET Core 3.0.
By the way, the final answer is as below:
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo {
Title = "My API",
Version = "v1"
});
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme {
In = ParameterLocation.Header,
Description = "Please insert JWT with Bearer into field",
Name = "Authorization",
Type = SecuritySchemeType.ApiKey
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement {
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new string[] { }
}
});
});
If you are using Swagger 3.0 then it has build-in support for JWT authentication.
You need to use ParameterLocation.Header, SecuritySchemeType.Http, bearer, and JWT in OpenApiSecurityScheme as shown below.
After this, you wouldn't need to specify token in Bearer {token} format. Only specify the token and the security scheme will automatically apply it in the header.
// Bearer token authentication
OpenApiSecurityScheme securityDefinition = new OpenApiSecurityScheme()
{
Name = "Bearer",
BearerFormat = "JWT",
Scheme = "bearer",
Description = "Specify the authorization token.",
In = ParameterLocation.Header,
Type = SecuritySchemeType.Http,
};
c.AddSecurityDefinition("jwt_auth", securityDefinition);
// Make sure swagger UI requires a Bearer token specified
OpenApiSecurityScheme securityScheme = new OpenApiSecurityScheme()
{
Reference = new OpenApiReference()
{
Id = "jwt_auth",
Type = ReferenceType.SecurityScheme
}
};
OpenApiSecurityRequirement securityRequirements = new OpenApiSecurityRequirement()
{
{securityScheme, new string[] { }},
};
c.AddSecurityRequirement(securityRequirements);
In the accepted answer, "Bearer " is required to be written before the actual token. A similar approach in which typing "Bearer " can be skipped is the following:
c.SwaggerDoc("v1", new OpenApiInfo { Title = "Example API", Version = "v1" });
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.Http,
BearerFormat = "JWT",
In = ParameterLocation.Header,
Scheme = "bearer",
Description = "Please insert JWT token into field"
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new string[] { }
}
});
Here, only pasting the JWT token is required for this to work.
Here's a solution updated for Swashbuckle.AspNetCore 5.3.2, integrated with IdentityServer4, with an API secured using a Bearer token.
In ConfigureServices()
method:
services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
options.AddSecurityDefinition("Bearer", SecuritySchemes.BearerScheme(Configuration));
options.AddSecurityRequirement(new OpenApiSecurityRequirement()
{
{ SecuritySchemes.OAuthScheme, new List<string>() }
});
});
In Configure()
method:
app.UseSwaggerUI(options =>
{
options.SwaggerEndpoint("/My.Api/swagger/v1/swagger.json", "My API V1");
options.OAuthClientId(Clients.TestClient);
options.OAuthAppName("My Api - Swagger");
options.OAuthClientSecret(Configuration["TestClientSecret"]);
});
internal static class SecuritySchemes
{
public static OpenApiSecurityScheme BearerScheme(IConfiguration config) => new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Description = "Standard authorisation using the Bearer scheme. Example: \"bearer {token}\"",
In = ParameterLocation.Header,
Name = "Authorization",
Scheme = "Bearer",
OpenIdConnectUrl = new System.Uri($"{config["TokenServerUrl"]}.well-known/openid-configuration"),
BearerFormat = "JWT",
Flows = new OpenApiOAuthFlows
{
Password = new OpenApiOAuthFlow
{
AuthorizationUrl = new System.Uri($"{config["TokenServerUrl"]}connect/authorize"),
Scopes = new Dictionary<string, string>
{
{ Scopes.Api, "My Api" }
},
TokenUrl = new System.Uri($"{config["TokenServerUrl"]}connect/token")
}
}
};
public static OpenApiSecurityScheme OAuthScheme => new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
},
Scheme = "oauth2",
Name = "Bearer",
In = ParameterLocation.Header,
};
}