New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth ClientCredentials doesn't pass client_id and client_secret in request body. #9800
Comments
I stumbled over this issue in context of Microsoft Entry ID, too. The
The true cause of this issue seems to be that Microsoft seems to have stopped support for the You can confirm this by trying out the following curl requests: Token request without origin header > curl https://login.microsoftonline.com/${YOUR_TANENT_ID}/oauth2/v2.0/token \
-d 'grant_type=client_credentials' \
-d "scope=${YOUR_CLIENT_ID}/.default" \
-d "client_id=${YOUR_CLIENT_ID}" \
-d "client_secret=${YOUR_CLIENT_SECRET}"
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"...your_token..."} Token request with origin header like a request would be issued in a browser > curl -v https://login.microsoftonline.com/${YOUR_TANENT_ID}/oauth2/v2.0/token \
-H 'Origin: http://localhost:8080' \
-d 'grant_type=client_credentials' \
-d "scope=${YOUR_CLIENT_ID}/.default" \
-d "client_id=${YOUR_CLIENT_ID}" \
-d "client_secret=${YOUR_CLIENT_SECRET}"
[...]
< HTTP/2 400
[...]
{"error":"invalid_request","error_description":"AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'http://localhost:8080'. Trace ID: [...] Correlation ID: [...] Timestamp: [...]","error_codes":[9002326],"timestamp":"[...]","trace_id":"[...]","correlation_id":"[...]","error_uri":"https://login.microsoftonline.com/error?code=9002326"} I don't think this issue can be solved by swagger-ui. Microsoft would need to enable support for |
Hi @PSanetra thank you for adding your findings. Nice work figuring out that Origin header is the issue! I wonder if there is some magic value of the Origin header which it will accept?
I agree it's not a Swagger UI issue.
I wonder if there is some config in our Entra ID App Registration's manifest which would allow this? |
@mattfrear good question if there is some configuration option for this. I would be interested too. For now I will go with simple Authorization header with Bearer scheme in swagger ui and show some description how to get the client_credentials token via curl as a workaround. |
Closing this because it's not a Swagger UI issue, it's caused by Entra ID rejecting |
Q&A (please complete the following information)
Content & configuration
Example Swagger/OpenAPI definition:
Describe the bug you're encountering
I am trying to get an Authorization token in Swagger-UI from Microsoft's Entra ID (formerly known as Azure AD) using client credentials flow. However, I get a 400.
because Swagger-UI is not passing the client_id and client_secret in the request body, which Entra ID requires.Edit - Entra ID will also accept a Basic Authorization header.An older issue was having the same problem but using Auth0. #4533
Edit, one month later, I just found another duplicate #5104
To reproduce...
Steps to reproduce the behavior:
N.B. I have also reproduced this by running latest v5.15.0 of Swagger-UI on my localhost.
Expected behavior
Please add a configuration value to allow us to send the client_id and client_secret in the request body instead of in the Authorization header (current behaviour).
Screenshots
Related issue: domaindrivendev/Swashbuckle.AspNetCore#2544
The text was updated successfully, but these errors were encountered: