Handling of relative urls for Oauth2 authorizationUrl and tokenUrl

[agateblue]

Q&A (please complete the following information)

• OS: Linux
• Browser: Firefox
• Version: 65
• Method of installation: Docker (via official hub image)
• Swagger-UI version: v3.21.0
• Swagger/OpenAPI version: 3.0.2

Content & configuration

I'm in the process of documenting my OAuth2 endpoints, and have the following definitions:

openapi: "3.0.2"
info:
  version: "1.0.0"
  title: "Funkwhale API"

servers:
  - url: https://demo.funkwhale.audio/api/v1
    description: Demo server
  - url: https://{domain}/api/v1
    description: Custom server
    variables:
      domain:
        default: yourdomain
        description: Your Funkwhale Domain
      protocol:
        enum:
          - 'http'
          - 'https'
        default: 'https'

components:
  securitySchemes:
    oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: /authorize
          tokenUrl: /api/v1/oauth/token/

As you can see, I have multiple servers configured, with a dynamic domain, because my API can be deployed in multiple places. The authorizationUrl and tokenUrl are relative.

Describe the bug you're encountering

Based on what is described in Swagger's documentation:

Relative Endpoint URLs

In OpenAPI 3.0, authorizationUrl, tokenUrl and refreshUrl can be specified relative to the API server URL. This is handy if these endpoints are on same server as the rest of the API operations.

I expect the relative urls in the oauth definition to be resolved to the current API server. That is, if my server is https://demo.funkwhale.audio/api/v1, the authorization URL should be https://demo.funkwhale.audio/api/v1/authorize.

However, I don' observe that behaviour, and when trying to authenticate with OAuth, I'm redirected to http://localhost:8002/authorize instead. http://localhost:8002 is the url of my Swagger UI, so I think the relative url is actually resolved on the swagger UI URL, and not the current API server URL.

To reproduce...

Steps to reproduce the behavior:

1. Add an oauth definition to your swagger.yml file with a relative URL as the autorizationUrl value
2. Try to authenticate with oauth
3. Observes that you are redirected to the relative URL you specified but on the Swagger UI host, instead of the API server.
4. See error

Expected behavior

I expect the relative urls in the oauth definition to be resolved to the current API server. That is, if my server is https://demo.funkwhale.audio/api/v1, the authorization URL should be https://demo.funkwhale.audio/api/v1/authorize.

Additional context or thoughts

Let me know if you need any additional info :)

[shockey]

Hi @EliotBerriot!

Relative URLs aren't supported in OpenAPI 2.0, but they are in OpenAPI 3.0.

Since you're on 3.0, I think #3992 is the issue you're describing.

FYI: this isn't a high priority item for us, so if this is really nagging you consider opening a PR. I'd be happy to point you in the right direction if you're new to the codebase, just email me (address in profile).

Closing as a duplicate of #3992. Thanks for the report!

[agateblue]

Thanks @shockey, I'll look into that :)