Get OAuth token by providing client credentials

[shwetashukla]

Hi
I am facing an issue configuring oAuth for my contract . I have client_id , client_secret and token url to obtain the OAuth token , This oAuth token along with an api key is used to hit the API . I configured it like

  OAuth2:
    type: oauth2
    flow: application
    tokenUrl: https://testOrg/testAAD/oauth2/token
    scopes:
      read: Grants read access

When I click "Authorize" button client_id and client_secret is visible and input it , I am not able to understand that the token obtained would be appended to header of the API request.

I am using swagger 2.0

Thanks
Shweta

[ShradhaFielddata]

Hi @shwetashukla I am trying to get the access token using the "authorize" button. But I could not find the correct configuration required for "client credential" grant.
Could you please share how to modify the SwaggerConfig to achieve this?

[orubel]

The token is sent with EVERY request (once issued):
curl -v -H "Content-Type: application/json" -H "Authorization: Bearer c4ir4adtd4eumea842mn5524quqgvhpp" --request GET "http://localhost:8080/v1.6.58/person/list"

What you would need to associate with the endpoint in the doc is the ROLE so that your application (ie server, gateway, etc) understood the request data to expect and what response data to check for given that ROLE from your token (see Role Based Access Control - https://docs.oracle.com/cd/E65459_01/admin.1112/e65449/content/general_rbac.html )

Unfortunately, OpenAPI has refused to support this and as such remains out of compliance with the OWASP API SECURITY TOP 10 : https://flic.kr/p/2keNR8v

[handrews]

This sounds like a tooling-related question, which should be raised with the tooling vendor. If this is still a concern after all these years and it is not tooling-related, please comment and we can re-open.