Secure Web APIs with Swagger, Swashbuckle, and OAuth2 (part 2)

This article continues the process started in part 1 which concluded with us having an API that has both anonymous and secure methods that can be called, and a Swagger interface provided by Swashbuckle. What remains now is the real meat of what I was trying to accomplish:

  • Making sure we can use the Swagger interface for testing authenticated API calls
  • Getting the Swagger interface customized enough so that it fits in with the rest of the site (part 3)
  • Securing the Swagger interface so that only authenticated users can see it (part 4)

Each of the items above is kind of “its own beast” so I’ll just take them in order, thinking that getting a testable API is probably first on your list.

Setting up Swagger to make authenticated API calls

Getting authenticated calls set up in Swagger involves three changes to your API application, assuming your OAuth2 server is already ready to receive the authorization requests for apis.

First, modify SwaggerConfig to enable OAuth support

There are three places in SwaggerConfig.cs that need to be modified, and the current Nuget package’s version has them all simply commented out to begin with. Somewhere around 70 lines down in SwaggerConfig, you’ll need to comment in some lines of code and make them look like this (or just add these lines):

                            .Description("OAuth2 Implicit Grant")
                            .AuthorizationUrl(Helpers.GetIssuerUri() + "/connect/authorize")                        
                            .Scopes(scopes =>
                                scopes.Add("sampleapi", "try out the sample api");                                

Of the hard-coded strings above, a few are important:
“implicit” –> this indicates we will be using an implicit flow for OAuth2.
AuthorizationUrl –> this string uses our Helpers.GetIssuerUri method defined in part 1 along with the authorize endpoint for the identity server
“sampleapi” –> this is a scope that will need to be predefined in your identity server

The next place is toward the middle of the file — around line 140:


When you comment this in, the method “AssignOAuth2SecurityRequirements” will be undefined. That’s ok for now, we’ll come back to it in a second.

The last place in the file you need to modify is almost all the way to the bottom:

    c.EnableOAuth2Support("sampleapi", "samplerealm", "Swagger UI");

The “sampleapi” is the client id for your OAuth2 connection — which in this case happens to be the same as the scope defined above. It’s ok that they are the same, but it is not required. The “samplerealm” and “Swagger UI” are the realm and appName parameters, which aren’t really used in my case (but I did find out that you need a non-null, non-blank realm even if you are NOT using it).

Second, create the OperationFilter class

The class must implement IOperationFilter, which has a single method: Apply. The purpose of this class/method is to determine which of your API methods in the Swagger interface will the OAuth settings be used for. If your API method (which is on the apiDescription parameter) needs the OAuth toggle to show up, it should get an item added to the Dictionary as shown in the last line of the method associated with the “oauth2” setting (the first hard-coded string above) and require the “sampleapi” scope.

The logic at the top of the method is all about determining whether we need to add the OAuth2 settings to the API method being evaluated. So, for example, anonymous methods can simply return without adding the security item to the Dictionary. The commented out code is left there as another example of how you might do this.

public class AssignOAuth2SecurityRequirements : IOperationFilter
    public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
        var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline();
        var allowsAnonymous = actFilters.Select(f => f.Instance).OfType<OverrideAuthorizationAttribute>().Any();
        if (allowsAnonymous)
            return; // must be an anonymous method

        //var scopes = apiDescription.ActionDescriptor.GetFilterPipeline()
        //    .Select(filterInfo => filterInfo.Instance)
        //    .OfType<AllowAnonymousAttribute>()
        //    .SelectMany(attr => attr.Roles.Split(','))
        //    .Distinct();

        if ( == null)
   = new List<IDictionary<string, IEnumerable<string>>>();

        var oAuthRequirements = new Dictionary<string, IEnumerable<string>>
            {"oauth2", new List<string> {"sampleapi"}}

Testing the OAuth flow with the APIs

Now that you have made the changes above, everything should be in place to test it. When you go to the Swagger page and expand the operations, it should look like this — note the OAuth2 toggle in the secure method but NOT in the anonymous method:

When you click the toggle, you will be presented with a preliminary consent screen for the scope you’ve defined and then be authenticated using an implicit flow with the identity server.

After completing authentication, the toggle should show “On”, and then any “Try it out” calls to the API will pass the bearer token received from the identity server. Then you can test the calls successfully, even if they require authorization! Sweet!

In the next two posts, we will customize the Swagger interface, and lock it down in case you only want authenticated users to be able to browse the API. Cheers!

6 thoughts on “Secure Web APIs with Swagger, Swashbuckle, and OAuth2 (part 2)

  1. Pingback: Secure Web APIs with Swagger, Swashbuckle, and OAuth2 (part 1) | Know Your Toolset

  2. Cisco

    Great article, congratulations.

    Do you know how can I configure swashbuckle to use OAuth grant_type password? I mean, I have token based authentication and for each authorize request I want to send “Authorization: bearer xxx” header.

    Could yo help me?


  3. jerry

    I still didn’t understand the significance of “sampleapi” while adding authorisation to APIs.

    My question is if I have 10 controllers with 20 Actions (=200 APIs) then is there any other way (apart from adding custom authorize attribute over all required APIs) to mention which API’s should get authentication?

    1. dahlsailrunner Post author

      You can use a custom authorize attribute at the controller and/or method level. So putting them at the controller level would likely be fine. If you simply need a valid token with an Authorize scope, you can set up a global filter in the WebApiConfig.cs file. If you really have custom stuff happening at each API method (meaning different authorization levels/roles/requirements/etc), then authorize attributes on the various controllers/methods may be the right answer. Without knowing more of the specific requirements though, it’s hard to give a concrete answer.


Leave a Reply

Your email address will not be published. Required fields are marked *