bugfix/incorrect redirect_uri query param in OAuth2 implicit authentication

[Canecat]

added support of oauth2RedirectUrl swagger UI config parameter
updated Config struct
added new config helpers
updated tests
updated readme

[codecov-io]

Codecov Report

Merging #92 into master will decrease coverage by 0.79%.
The diff coverage is 79.54%.

@@            Coverage Diff            @@
##           master      #92     +/-   ##
=========================================
- Coverage   84.12%   83.33%   -0.8%     
=========================================
  Files           1        1             
  Lines          63       84     +21     
=========================================
+ Hits           53       70     +17     
- Misses          8       13      +5     
+ Partials        2        1      -1

Impacted Files	Coverage Δ
swagger.go	83.33% <79.54%> (-0.8%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3db8327...46aade1. Read the comment docs.

[easonlin404]

@Canecat could you tell why need to add oauth2RedirectUrl? What's your scenario?

[Canecat]

Hello @easonlin404.

If we want to use OAuth2 implicit flow then we need to set @authorizationUrl and client_id.
After user click the "Authorize" button, Swagger UI opens this authorizationUrl with several query parameters (e.g. https://example.com/authentication/login?response_type=token&client_id=localhost.example.com&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fapi%2Fv1%2Fswagger%2Foauth2-redirect.html...).
redirect_uri query parameter says where user should be redirected by OAuth provider after successful authorization. Swagger UI must process in 'oauth2-redirect.html' and store autorization_tokenreturned by provider, to be able to set Authorization header in API calls which need authorization. That's how this flow should work.

By default oauth2RedirectUrl is calculated by Swagger UI as ${window.location.protocol}//${window.location.host}/oauth2-redirect.html e.g. 'http://localhost:8000/oauth2-redirect.html' which is not correct in most cases because Swagger UI is usually hosted under some sub route (e.g. '/api/v1/swagger/').
So we should set this swagger config parameter to correct location of oauth2-redirect.html, if we want to be able to call API endpoints which need authorization.

Thank you for quick response.

[Canecat]

Hi @easonlin404, any updates?

[Bobby-88]

@easonlin404 i've just come across the same issue as described in #92 (comment)
in short - when serving a swagger ui at swagger-host/swagger, and when using implicit flow from oidc provider (i'm using self-hosted keycloak) - redirect from keycloak is going to swagger-host/oauth2-redirect.html - but should be going to swagger-host/swagger/oauth2-redirect.html
i've just tested this and it's working for the implicit flow

Please advise on what is needed to merge this, i'm eager to contribute if i will be able to

[Bobby-88]

@Canecat @easonlin404 i've just checked and the issue is reproduced not only with the Implicit Grant. It's as well visible with the Authorization Code Grant (which is currently considered as a best practice).
Will switch to https://github.com/Canecat/gin-swagger for a time being, but i would really like to see this PR accepted

[jurabek]

@Canecat please use window.location.href instead ${window.location.protocol}//${window.location.host}" + filepath.Join(config.SwaggerBase, "oauth2-redirect.html") + " it is two many code here, window.location.href includes basePath too. here is dotnet swagger implementation of this problem

[ubogdan]

@Canecat Please resolve the conflicts and I will try to do a review after that.

[ubogdan]

Closing reason: Outdated.