Skip to content

Swagger UI: X-XSRF-TOKEN is sent to OAuth2 token url #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
daniel-shuy opened this issue Jan 26, 2021 · 9 comments
Closed

Swagger UI: X-XSRF-TOKEN is sent to OAuth2 token url #1036

daniel-shuy opened this issue Jan 26, 2021 · 9 comments

Comments

@daniel-shuy
Copy link

Describe the bug
When configuring OpenAPI with OAuth2 security scheme and springdoc-openapi-ui with springdoc.csrf.enabled=true, Swagger UI will include X-XSRF-TOKEN in the request to the OAuth2 token url.

Certain OAuth2 providers (in my case, Keycloak) with CORS protection may cause the browser to block the request due to the presence of X-XSRF-TOKEN, since it is not typically in the Access-Control-Allow-Headers list.

To Reproduce
Steps to reproduce the behavior:

  • What version of spring-boot you are using? 2.4.1
  • What modules and versions of springdoc-openapi are you using? springdoc-openapi-ui:1.5.1
  • Provide with a sample code (HelloController) or Test that reproduces the problem:
new OpenAPI()
    .addSecurityItem(new SecurityRequirement()
        .addList("keycloak")
    )
    .components(new Components()
        .addSecuritySchemes("keycloak", new SecurityScheme()
            .type(SecurityScheme.Type.OAUTH2)
            .flows(new OAuthFlows()
                .authorizationUrl("http://<keycloakUrl>/auth/realms/<realm>/protocol/openid-connect/auth")
                .tokenUrl("http://<keycloakUrl>/auth/realms/<realm>/protocol/openid-connect/token")
            )
        )
    );
springdoc:
  swagger-ui:
    csrf:
      enabled: true

Expected behavior
Swagger UI should not include X-XSRF-TOKEN for OAuth2 token url requests.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@bnasslahsen
Copy link
Collaborator

@daniel-shuy,

X-XSRF-TOKEN is the default value for many providers.
You can adapt the cookie-name and `header-name, as described in the swagger-ui-properties section

@daniel-shuy
Copy link
Author

@bnasslahsen what I meant is that the X-XSRF-TOKEN should still be sent in requests to the endpoint urls, but excluded from the requests to the OAuth2 token url.

The CSRF support is meant for the application, not for the OAuth2 provider. My endpoints (using Spring Security) still expects X-XSRF-TOKEN, but Keycloak does not expect any CSRF token (there are no CSRF headers in Keycloak's Access-Control-Allow-Headers, renaming the header name does not solve this issue).

@bnasslahsen
Copy link
Collaborator

If Keycloak doesn't respect any CSRF token, why do you add springdoc.swagger-ui.csrf.enabled ?

@daniel-shuy
Copy link
Author

daniel-shuy commented Jan 26, 2021
edited
Loading

Because my application endpoints needs the CSRF token. Keycloak is only used to authenticate/authorize.

@bnasslahsen
Copy link
Collaborator

Who generates the CSRF token ?

@daniel-shuy
Copy link
Author

daniel-shuy commented Jan 26, 2021
edited
Loading

Who generates the CSRF token ?

The application. I don't think there is much value for an OAuth2 provider to have CSRF protection (but may have to test if Spring Security OAuth2 Server in a project with CSRF protection enabled expects a CSRF token in the OAuth2 token url).

@bnasslahsen
Copy link
Collaborator

This doesn't seem to be an issue in springdoc-openapi. You can check springdoc-openapi to dig further.
Please check your applications architecture /configuration .

If you really feel you are facing an issue, make sure to analyse root cause.

@daniel-shuy
Copy link
Author

I have already done a in depth analysis on this, please try to understand the issue:

My application is a typical Spring MVC application, with Spring Security (which has CSRF protection enabled by default). This requires springdoc.swagger-ui.csrf.enabled to be true to use springdoc-openapi-ui.

With springdoc.swagger-ui.csrf.enabled set to true, all requests from Swagger UI includes the CSRF token header, which is fine.

However, to test protected endpoints with Swagger UI, we need to authorize. This is configured using the OAuth2 Security Scheme as mentioned above, which displays a Authorize button at the top right of the Swagger UI page:
image

Clicking on the Authorize button displays the popup below:
image
Clicking on the Authorize button in the popup opens the OAuth2 authorization url in another tab, and after a successful login, Swagger UI calls the OAuth2 token url to get the access token from the OAuth2 provider (in this case Keycloak).

If you need further evidence to back up my explanation, the Console error shows that the requests originates from swagger-ui/index.html?configUrl=/api/v3/api-docs/swagger-config, aka Swagger UI. The authorization flow does not go through the application whatsoever, it is solely between Swagger UI and Keycloak, and nothing to do with my application configuration (besides the springdoc-openapi configuration):
image

@bnasslahsen
Copy link
Collaborator

@daniel-shuy,

As you said, it might be between Swagger UI and Keycloak projects.
This is said, i encourage you to see the documentation of Keycloak, where you might found the configuration to allow the CSRF headers, which seems to be your issue.

I am locking this conversation, as we do not provide support for third party products configuration...

@springdoc springdoc locked as too heated and limited conversation to collaborators Jan 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnasslahsen @daniel-shuy