Implicit Bearer flow for swagger asp..net core 3.1

c# asp.net-core swagger

In your startup.s class:

// prevent from mapping "sub" claim to nameidentifier.
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");

var identityUrl = configuration.GetValue<string>("IdentityUrl");

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = identityUrl;
    options.RequireHttpsMetadata = false;
    options.Audience = "demo_api";
});

SwaggerGen

    services.AddSwaggerGen(options =>
    {
      ...
        options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
       {
            Type = SecuritySchemeType.OAuth2,
            Flows = new OpenApiOAuthFlows
            {
                Implicit = new OpenApiOAuthFlow
                {
                    AuthorizationUrl = new Uri($"{configuration.GetValue<string>("IdentityUrl")}/connect/authorize"),
                    TokenUrl = new Uri($"{configuration.GetValue<string>("IdentityUrl")}/connect/token"),
                    Scopes = new Dictionary<string, string>()
                    {
                        { "api1", "Demo API - full access" }
                    }
                }
            }
        });

Operation filter

options.OperationFilter<AuthorizeCheckOperationFilter>();

The implementation

public class AuthorizeCheckOperationFilter : IOperationFilter
{
    public void Apply(OpenApiOperation operation, OperationFilterContext context)
    {
        var hasAuthorize = context.MethodInfo.DeclaringType.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any() ||
                           context.MethodInfo.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any();

        if (!hasAuthorize) return;

        var unauthorizedHashCode = HttpStatusCode.Unauthorized.GetHashCode().ToString();
        var unauthorizedDescription = HttpStatusCode.Unauthorized.ToString();

        var forbiddenHashCode = HttpStatusCode.Forbidden.GetHashCode().ToString();
        var forbiddenDescription = HttpStatusCode.Forbidden.ToString();

        operation.Responses.TryAdd(unauthorizedHashCode, new OpenApiResponse { Description = unauthorizedDescription });
        operation.Responses.TryAdd(forbiddenHashCode, new OpenApiResponse { Description = forbiddenDescription });

        var oAuthScheme = new OpenApiSecurityScheme
        {
            Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
        };

        operation.Security = new List<OpenApiSecurityRequirement>
        {
            new OpenApiSecurityRequirement
            {
                [ oAuthScheme ] = new [] { "api1" }
            }
        };

    }
}

Use this

// Keep both UseAuthentication and UseAuthorization IN THIS ORDER
app.UseAuthentication();
app.UseAuthorization();

Use Swagger

app.UseSwagger(c =>
        {
            c.RouteTemplate = "swagger/{documentName}/swagger.json";
        });
        app.UseSwaggerUI(s =>
        {
            s.SwaggerEndpoint("/swagger/v1/swagger.json", "Your awesome project name");

            s.OAuthAppName("My API - Swagger");
            s.OAuthClientId("client");

            // Should match the client RedirectUrl in the IdentityServer
            s.OAuth2RedirectUrl("https://localhost:5001/swagger/oauth2-redirect.html");
        });

Your controller

[Authorize]
[ApiController]
[Route("api/[controller]")] // TODO: Take care of the versioning
public class IndentityController : ControllerBase
{
    ...

Now in the IdentityServer Project. The ApiResources:

public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {
            new ApiResource("api1", "My API")
        };
    }

And finally, your Client should look like this:

new Client
{
    ClientId = "client",
    AllowedGrantTypes = GrantTypes.Implicit,
    RedirectUris = { "https://localhost:5001/swagger/oauth2-redirect.html" },
    AllowedScopes = { "api1" },
    AllowAccessTokensViaBrowser = true,
    RequireConsent = false
}

And for a complete source code, take a look at the eShopOnContainers repo

Good luck :)

Related

Evaluation of $\int\frac{5x^3+3x-1}{(x^3+3x+1)^3}\,dx$
Can we recover a compact smooth manifold from its ring of smooth functions?
Must imaginary roots come in conjugate pairs?
If $\int_{\mathbb R^2} \frac{\vert f(x)-f(y)\vert}{\vert x-y\vert^2}dxdy<+\infty$ then $f$ is a.e. constant
How are norms different from absolute values?
Are there parabolic and elliptical functions analogous to the circular and hyperbolic functions $\sinh$, $\cosh$, and $\tanh$?
$f\colon\mathbb{R}\to\mathbb{R}$ such that $f(x)+f(f(x))=x^2$ for all $x$?
A matrix is diagonalizable, so what?
How to calculate standard deviation with streaming inputs?
Why do we think of a vector as being the same as a differential operator?
Fourier transform of $\left|\frac{\sin x}{x}\right|$
What is the Atiyah-Singer index theorem about?