How to direct to AspNet.Security.OAuth.Providers login pages within Swagger UI

c# asp.net asp.net-mvc swagger swagger-ui

I currently have a controller that redirects the user to a login page. If possible, I was wondering if this redirection could happen if you were to use the swagger UI to run the controller instead. The code for the controller is bellow, which uses the community AspNet.Security.OAuth.Providers plugin, specifically the Discord provider. Hopes are this would speed up development time, as we would be able to access everything from within the Swagger UI, without having to go manually type in the address.

Adding the authentication in Program.cs

        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie("Cookies", options =>
            {
                options.LoginPath = "/api/v1/login";
                options.LogoutPath = "/api/v1/logout";
                options.ExpireTimeSpan = new TimeSpan(7, 0, 0, 0);
                options.Cookie.MaxAge = new TimeSpan(7, 0, 0, 0);
                options.Cookie.Name = "access_token";
                options.Cookie.HttpOnly = false;
                options.Events.OnRedirectToLogin = context =>
                {
                    context.Response.Headers["Location"] = context.RedirectUri;
                    context.Response.StatusCode = 401;
                    return Task.CompletedTask;
                };
            })
            .AddDiscord(options =>
            {
                options.ClientId = settings.ClientId.ToString();
                options.ClientSecret = settings.ClientSecret;
                options.Scope.Add("guilds");
                options.Scope.Add("identify");
                options.SaveTokens = true;
                options.Prompt = "none";
                options.AccessDeniedPath = "/oauthfailed";
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.CorrelationCookie.SameSite = SameSiteMode.Lax;
                options.CorrelationCookie.HttpOnly = false;
            });

How we set up Swagger

builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(options =>
    {
        options.SwaggerEndpoint("/swagger/v1/swagger.json", "v1");
        options.RoutePrefix = string.Empty;
    });
}

Our GET query for our AuthenticationController.cs

    [HttpGet("login")]
    public IActionResult Login([FromQuery] string ReturnUrl)
    {
        if (string.IsNullOrEmpty(ReturnUrl))
            ReturnUrl = "/guilds";

        var properties = new AuthenticationProperties()
        {
            RedirectUri = ReturnUrl,
            Items =
            {
                { "LoginProvider", "Discord" },
                { "scheme", "Discord" }
            },
            AllowRefresh = true,
        };

        return Challenge(properties, "Discord");
    }

Our current response in Swagger:

Swagger Failing (Maybe CORS?)

Instead of directing you to the discord.com website, like the controller would usually do.

If this isn't possible, or isn't part of what Swagger supports, that's fine! It'd just be mainly a time-saver for us.

Any feedback would be greatly appreciated.


Solution 1:

Ok, here's what I do with my api sites. First off allow users to login manually and authenticate them any way you like (as you do). Setup cookie auth and add cookie auth to your api controllers (like you do).

So what's left is to prevent unauthorized access to your swagger pages - since swagger doesn't know/care about your cookie auth.

All that's needed is a little middleware to check the request path and verify if the user has been authenticated. This code will check the request path for /swagger then check if the user has been authenticated. If not, a 401 is returned.

using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;


namespace Middleware.Classes
{
    public static class SwaggerAuthorizeExtensions
    {
        public static IApplicationBuilder UseSwaggerAuthorized(this IApplicationBuilder builder)
        {
            return builder.UseMiddleware<SwaggerAuthorizedMiddleware>();
        }
    }
    public class SwaggerAuthorizedMiddleware
    {
        private readonly RequestDelegate _next;

        public SwaggerAuthorizedMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task Invoke(HttpContext context)
        {
            if (context.Request.Path.StartsWithSegments("/swagger")
                && !context.User.Identity.IsAuthenticated)
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                return;
            }

            await _next.Invoke(context);
        }
    }
}

Now in your startup code call the IApplicationBuilder.UseSwaggerAuthorized() extension funct to enable the middleware. Then bask in the love and affection of your users.

app.UseSwaggerAuthorized();

Related

How to merge output from unwind mongodb?
Recurrence formula for division of a sphere by n great circles
Division in $1$ variable
Given a helix, consider the curve of it's tangent. Express the curvature and torsion of such a curve.
Derivating in respect of a function that's a derivative of another function
Proving $S_n$ is generated by the set $\{(1\text{ }2),(2\text{ }3),\cdots,(n-1\text{ }n)\}$ of $n-1$ transpositions.
Colored Blocks Factorial
Second order Taylor expansion of Frobenius norm
Problem to convert to pinescript V4 or V5
Making something a control parameter or a variable when analysing a dynamical system
a representation condition of Hilbert space
Does "the alphabet of the language of propositional logic" have no function symbols, relation symbols, and constants?