Autorize openAPI widget vs easyauth login page

Question

Autorize openAPI widget vs easyauth login page

shazz opened this issue 4 years ago · 5 comments

when using the login easyauth page, the user is well authenticated and calling the APIs directly works as expected but from the openapi docs the login status is not in sync
when using the /docs openapi authorize widget, the user "seems" to be well authenticated but all the API calls fail

Answer 1 · 2021-05-10T19:44:01.000Z

@shazz - I think found what caused this behavior.

If you accessed the GUI first, when you login, the tokens are converted into a browser cookie. If the token in the cookie expires, EasyAuth would typically redirect the user & invalidate the cookie prompting a login.

Problem

From the /docs there are no redirects & cookie invalidation is not able to occur.

Workaround

Browse to any GUI endpoints or /logout & the current browser cookie would be invalidated.
Clear Browser Cookie Ctrl + Shift + I -> cookies -> expand + right-click and clear.

Solution

Need to Invalidate cookies, if used & token is unknown / revoked. Returning a response with clear cookie header.

Answer 2 · 2021-05-10T19:49:14.000Z

So the workaround works in the sense the API calls succeed or fail as expected (I tried from a private browser session: login then /docs)

But from a UI point of view, in the docs, the API are still "locked" (I mean the lock icon on the right), it doesn't seem OpenAPI knows I'm already logged in.

At the end I'm not sure I understand the openAPI icons meanings.... What does it mean the the lock is open or close?

with workaround:

without workaround:

Answer 3 · 2021-05-10T20:05:50.000Z

The lock is definitely cosmetic, as the OpenAPI does not know you are logged in unless you actually "authorize" from the OpenAPI context. However, with a valid cookie from the GUI session, you could immediately use OpenAPI spec, but still only API endpoints that the token is allowed( which is users in 'administrators' group for EasyAuthServer API's)

Answer 4 · 2021-05-10T22:31:07.000Z

Ah... ok... I expected the lock to show which endpoint you are allowed to use based on your credentials but no... as you said, just meant you're used the authorized widget (even if you are already logged)

A pity....

Do you know why on the server docs, some apis don't have the lock like the first three ?

Answer 5 · 2021-05-11T06:35:23.000Z

@shazz locks appearing is very predictable. This is an indication of a "secured" endpoint, which require a Token to validate identity & access. Currently docs are not able to filter on which endpoints a user is allowed to access, but indicates which endpoints require authentication / authorization.