Skip to content

OAuth "realm" option unclear #1424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ankon opened this issue Jun 26, 2015 · 4 comments
Closed

OAuth "realm" option unclear #1424

ankon opened this issue Jun 26, 2015 · 4 comments

Comments

@ankon
Copy link
Contributor

ankon commented Jun 26, 2015

In index.html the initOAuth function from swagger-oauth.js requires a realm option. I couldn't find any documentation on this parameter, and it seems to be used only as a parameter for the initial authorization request. There seems to be no specification on the oauth side though for this parameter, the only mention I could find was that a provider might use a realm attribute in the WWW-Authenticate header.

With that: what was the intent of this parameter, and, could it maybe just be dead code that can be removed?
@ecosgrave
Copy link

The OAuth2 spec doesn't use realm but some authorization servers do recognize it as a way of identifying the resource being accessed; likely a relic of SAML based token issuance. Azure's ACS had the concept of realm for example.

The intent is to identify the resource the caller wants to access. To use OAuth2 with Azure Active Directory (AAD) I'd to switch the realm query parameter to resource as that is what AAD expects. Same concept, just a different name.

Neither the realm nor resource parameters are part of the OAuth spec. so not really a bug, but not useful either. I can confirm that changing realm to resource when constructing the token URL in swagger-oauth.js allows Swagger UI to work with the AAD OAuth flow (though not in IE).

@fehguy
Copy link
Contributor

fehguy commented Dec 9, 2015

Please reopen if there's still an issue here, it seems like the request is for non oauth2 calls.

@fehguy fehguy closed this as completed Dec 9, 2015
@gambrose
Copy link

If realm is not part of oauth2 spec and only recognized by some authorization servers why does swagger ui require it to be present?

Sorry to be reopening an old issue but having been struggling to work out the meaning of the realm in my scenario. I think that realm being required is what made me think it was more important than it is.

@webron webron reopened this Apr 11, 2016
@gambrose gambrose mentioned this issue Apr 12, 2016
Closed
@RehanSaeed
Copy link

realm seems to be a required parameter when it should really be optional. I'm just passing a - for it's value as a workaround. I'm also having to manually provide a resource parameter and value.

@webron webron closed this as completed Jun 9, 2017
@Download Download mentioned this issue Jul 18, 2017
Open
Download added a commit to Download/swagger-ui that referenced this issue Jul 18, 2017
@Download
Added support for ':realm' placeholder in authorizationUrl and tokenUrl
8e143bf 
 * Factored out URL handling code into function processUrl
 * Call processUrl in places where we use authorizationUrl and tokenUrl
 * Removed tiny bit of redundant code in auths.jsx
 * Set default/example realm name to 'your-realm' (singular) instead of 'your-realms' (plural) as this parameter is supposed to be singular afaik
 * Improved documentation for 'realm' in README.md
Fixes swagger-api#3406
See also swagger-api#1424
@Download Download mentioned this issue Jul 18, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@webron @fehguy @ankon @RehanSaeed @gambrose @ecosgrave