42Crunch/vscode-openapi

Relative URL not resolved correctly for openIdConnectUrl

saamc opened this issue · 1 comments

saamc commented

Description

Relative URL for openIdConnectUrl is resolved against webview not against server.

Environment

Extension
Version: v4.18.2

VS Code
Version: 1.79.2
Commit: 695af097c7bd098fbf017ce3ac85e09bbc5dda06
Date: 2023-06-14T08:59:55.818Z
Electron: 22.5.7
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Linux x64 5.15.0-73-generic snap

Expected behaviour

Preview authorization discovery queries given URL on given server and presents discovered authorization flows.

Actual behaviour

Authorize button opens modal dialog, but no authorization options are shown.

Suspected error

The Developer Tools console shows the following error

main.js:formatted:34041 Refused to connect to 'vscode-webview://1tgqcfmoi217r87r2p5o6ljpmijn5pq81asctfq0f2d4ushsg7pu/auth/realms/myrealm/.well-known/openid-configuration#/' because it violates the document's Content Security Policy.

Obviously, the relative URL given in openIdConnectUrl is resolved against the preview window and not against the server from the servers specification.
Supplying the full absolute URL works.

Unless specified otherwise, all properties that are URLs MAY be relative references as defined by RFC3986. Relative references are resolved using the URLs defined in the Server Object as a Base URI.

Minimal Example

openapi: '3.0.3'
info:
  title: Test
  version: 0.1alpha

servers:
- url: https://my.server.test

components:
  securitySchemes:
    openId:
      type: openIdConnect
      # according to spec, relative URLs are relative to server
      openIdConnectUrl: /auth/realms/myrealm/.well-known/openid-configuration#/

Steps to reproduce

  • create file for minimal example
  • open preview
  • Toggle Developer Tools
  • inspect console error log
ak1394 commented

Hi @saamc ! For the Swagger UI Preview we rely on https://github.com/swagger-api/swagger-ui which seems to support relative URLs in openIdConnectUrl per https://swagger.io/docs/specification/authentication/openid-connect-discovery/

I'll see if upgrading to the latest version of SwaggerUI would fix your issue, and will update the ticket with more info.