Auth M2M /Swagger M2M auth

nameer.learning · May 1, 2021, 9:10pm

Hey, I know this issue is well knowing to the community! But I hope someone found a solution
I am having an issue authenticating using client_credentials flow and SwaggerUI. For some reason, swagger securitySchemes won’t allow me to add the audience and grant_type as parameters, and without them, I can not really get an access token form Auth0. However, if I use Global Client credentials (without adding audience + grant_types) then I get an opaque access token but not JWT access token. Any request with opague token will result with the following error!
jose.exceptions.JWTError: Error decoding token headers

my securitySchemas

 securitySchemes:
    oAuth: 
      type: oauth2
      flows:
        clientCredentials:
          tokenUrl: https://auth-server.com/oauth/token

For more info about opaque tokens see here

stephanie.chamblee · May 4, 2021, 12:38pm

Hi @nameer.learning,

Unfortunately, the audience must be passed in the body of the token request, which looks to be a challenge with Swagger UI.

I have not tested this solution, but I did find a comment on a related issue from a couple weeks ago that might be able to help you specify the audience in the request body using an intercepter:

github.com/swagger-api/swagger-ui

swagger UI for Spring Boot API : How to add “audience” in request body for authorising “client credentials” flow

opened 03:13PM - 23 Apr 19 UTC

ShradhaFielddata

I have generated swagger UI documentation from my spring boot API, the API is se…cured using oauth2 client credentials grant from auth0. The problem is that: In the swagger configuration, I am unable to set the "audience" request body parameter while authorisation. Thus, swagger ui is not authenticating the API. I am following this documentation: https://www.baeldung.com/swagger-2-documentation-for-spring-rest-api pom.xml: <dependency> <groupId>io.springfox</groupId> <artifactId>springfox-swagger-ui</artifactId> <version>2.9.2</version> </dependency> <dependency> <groupId>io.springfox</groupId> <artifactId>springfox-swagger2</artifactId> <version>2.9.2</version> </dependency> SwaggerConfig.Java: @Configuration @EnableSwagger2 public class SwaggerConfig { String token_endpoint = "xxxx"; @Bean public Docket api() { return new Docket(DocumentationType.SWAGGER_2) .select() .apis(RequestHandlerSelectors.basePackage("xxxx.controller")) .paths(PathSelectors.any()) .build() .apiInfo(apiInfo()) .useDefaultResponseMessages(false) .securitySchemes(Arrays.asList(securityScheme())) .securityContexts(Arrays.asList(securityContext())); } private ApiInfo apiInfo() { return new ApiInfo( "xxxx API", "Some description of API.", "xxxx", "Terms of service", new Contact("xx", "xxxx", "xxxx"), "License of API", "xxxx", Collections.emptyList()); } public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("swagger-ui.html") .addResourceLocations("classpath:/META-INF/resources/"); registry.addResourceHandler("/webjars/**") .addResourceLocations("classpath:/META-INF/resources/webjars/"); } @Bean public SecurityConfiguration security() { return SecurityConfigurationBuilder.builder() .appName("xxxx") .clientId("") .clientSecret("") .build(); } private SecurityScheme securityScheme() { GrantType grantType = new ClientCredentialsGrant(token_endpoint); SecurityScheme oauth = new OAuthBuilder().name("spring_oauth") .grantTypes(Arrays.asList(grantType)) .build(); return oauth; } private SecurityContext securityContext() { return SecurityContext.builder() .forPaths(PathSelectors.any()) .build(); } } The response is as 403 Forbidden and this is because, I am not able to provide "audience" in the request body during authorization: "error_description": "Non-global clients are not allowed access to APIv1" ![Screenshot 2019-04-23 at 16 19 30__01__01](https://user-images.githubusercontent.com/48764906/56592551-33114300-65eb-11e9-94dc-1f92e5025156.png)