Support OAuth2 redirect URI as a first-class feature

[michaeljfazio]

When authorizing an application using OAuth2 and authorization code flow , the authorization server must redirect the user back to the application via a redirect_uri. The redirect URI is defined as optional in the RFC 6749 spec but is actually fundamental to specific flows. Attempting to authorize an application using authorization code flow without a redirect uri will simply not work with most (possibly all?) authorization servers (e.g. keycloak). Hence, for the authorization code flow, it is basically a requirement that a redirect uri also be supplied. My proposal is that redirect uri be added as an optional parameter to the oauth2 security definition so as to satisfy the ability to authorize applications as a first class concept.

This request was born out of the following discussion relating to swagger-editor / swagger-ui swagger-api/swagger-editor#1410 (comment)

[darrelmiller]

As I understand it, the redirect URL is specific to a client application that has registered to have access to the API. This is a property of the client application that the Authorization server must store for each client application. I do not believe this is a value that is related to the description of the API.

[michaeljfazio]

Thanks @darrelmiller. I can see how the client specified parameters don't belong in a specification for the API. Happy to close out accordingly.

[danova123]

@michaeljfazio So, how to pass the Redirect URL to achieve Authorization Code Flow within swagger

[jdbealor]

Yes, how is the Redirect URL used? When I set up an OAuth2 security description with my Authorize and Token URLs, etc and attempt to Authorize the API calls I get a response indicating the following:

error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration

[darrelmiller]

@jdbealor When you attempt to Authorize your API using what client tooling? This repo is just for the OpenAPI specification. It is up to the client tooling to actually implement the OAuth flow.

[jdbealor]

Salesforce

[jdbealor]

Sorry, but I'm new to this...
From the followind definition I get to the Swagger UI "Authorize" dialog and enter my client id and secret and then the API Key. When I click the Authorize for the first part I get the redirect uri error.

securityDefinitions:
test_auth:
type: oauth2
flow: accessCode
authorizationUrl: https://test.salesforce.com/services/oauth2/authorize
tokenUrl: https://test.salesforce.com/services/oauth2/token
scopes:
write:test: "write test"
read:test: "read test"
api_key:
type: apiKey
name: api_key
in: header

[binhosemcrause]

@jdbealor I have the same problem!

[jamesbriggs]

I understand the argument that redirect_uri is an application-side item, but since the Swagger UI editor creates an instant application client based on the api spec file, it needs redirect_uri to make the Oauth2 security definition work. So for practical reasons, client_id and redirect_uri should be added alongside authorizationUrl.

[denious]

Agreeing with James above, running into this problem right now with SwaggerHub and Azure B2C implicit auth flow; impossible to authenticate to test the API within SwaggerHub without redirectUrl.

Although it might be up to the tooling to implement the full flow, the ability to specify the redirectUrl should be part of the specs so that the tooling can work with it.

[Nilster]

Following worked for me
authorizationUrl: "https://test.salesforce.com/services/oauth2/authorize?redirect_uri=http://localhost:8082/auth"