Question: How to set up swagger to work with express-openid-connect?

Question

Question: How to set up swagger to work with express-openid-connect?

Closed this issue 2 years ago · 7 comments

Hello! I'm looking for guidance on how to configure SwaggerUI's authentication so it works with express-openid-connect. Does someone happen to have an example? :)

Answer 1 · 2023-04-18T16:14:46.000Z

Hi @spuxx1701 - thanks for raising this

If you can share how you are serving your SwaggerUI from an express app, I can probably tell you how to require authentication on those routes if that helps?

Answer 2 · 2023-04-19T07:09:21.000Z

Hello @adamjmcgrath! Thanks for the quick response. I'm using Nest.js, so my swagger setup looks like this:

import { DocumentBuilder } from '@nestjs/swagger';

const swaggerConfig = new DocumentBuilder()
  .setTitle('foo')
  .addCookieAuth('cookie-name', {
    type: 'openIdConnect',
    openIdConnectUrl: `my-idp.com/.well-known/openid-configuration`,
    in: "cookie",
  })
  .build();

I'm assuming that addCookieAuth() is the proper thing to call considering for express-openid-connect, but I'm not sure what to add. Nest's docs on that are rather short:
https://docs.nestjs.com/openapi/security#cookie-authentication
If you could provide an example for OpenAPI yaml setup, I might be able to translate that to @nestjs/swagger myself.

/ I've found out how to make Swagger use the "standard" OIDC workflow itself, but when doing that, you have to expose the client ID and client secret. I wonder if it's possible to tell swagger to "just" use the authentication routes exposed by express-openid-connect instead of implementing its own authentication. 🤔

Answer 3 · 2023-04-19T11:17:08.000Z

Hi @spuxx1701 - this SDK is for Express applications, so I can't really help you with a Nest.js app.

If addCookieAuth requires an openIdConnectUrl - then it looks like it already supports login with OpenID Connect, so you wouldn't need another SDK to do this anyway

Answer 4 · 2023-04-19T11:18:18.000Z

/ I've found out how to make Swagger use the "standard" OIDC workflow itself, but when doing that, you have to expose the client ID and client secret.

If swagger supports form post implicit, you shouldn't need the client secret

Answer 5 · 2023-04-19T12:10:56.000Z

Hi @spuxx1701 - this SDK is for Express applications, so I can't really help you with a Nest.js app.

If addCookieAuth requires an openIdConnectUrl - then it looks like it already supports login with OpenID Connect, so you wouldn't need another SDK to do this anyway

I don't think Nestjs is severly different from Vanilla Express in this case, I guess it's more about how to configure Swagger properly to play nicely with express-openid-connect. Also, see my edit - I've managed to make Swagger implement its own OIDC workflow, but I was wondering whether it was possible to make it use the workflow that was implemented via express-openid-connect. I mean, in the end, Swagger doesn't need to implement its own Auth, and instead just call the endpoints the API exposes to begin with. 🤔

Answer 6 · 2023-04-20T09:02:06.000Z

This SDK works the same as any express middleware, you just apply it before the route handler that returns the swagger ui and it will require authentication on that route. For an Express application, that would be:

const { auth, requiresAuth } = require('express-openid-connect');

app.use({ authRequired: false });

app.get('/api-docs', requiresAuth(), (req, res) => { /* render swagger ui */ });

I don't know what the same would be for a Nest application because I'm not familiar with Nest.

Answer 7 · 2023-05-02T15:12:08.000Z

Closing due to inactivity