Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

oauth2 vs auth0: missing audience parameter

See original GitHub issue

i’m using swagger-ui 3.2.0, implicit oauth2, and auth0. i’m making use of JWTs. i need to be able to add an audience parameter to the authorization url to convince auth0 to pass back JWTs instead of opaque tokens. i tried the “straight forward” way of specifying an audience and it doesn’t appear to work.

{
  "swagger": "2.0",
  "info": {
    "title": "foo",
    "description": "foo",
    "version": "1.0.0"
  },
  "consumes": "application/json",
  "produces": "application/json",
  "security": {
    "OAuth2": [
      "read",
      "write"
    ]
  },
  "securityDefinitions": {
    "OAuth2": {
      "type": "oauth2",
      "authorizationUrl": "https://test.auth0.com/authorize?audience=https://foo/bar",
      "flow": "implicit",
      "scopes": {
        "read": "for reading",
        "write": "for writing"
      }
    }
  }
}

this ends up redirecting me to:

https://test.auth0.com/authorize?audience=https://foo/bar?response_type=token&client_id=...&redirect_uri=...&state=...

notice the two question marks. when redirected to this page, it fails.

if i modify the url, by hand, and change the second ? to an &, like:

https://test.auth0.com/authorize?audience=https://foo/bar&response_type=token&client_id=...&redirect_uri=...&state=...

and then re-submit, everything works like it should. i end up with a jwt bearer token and everything.

so, my question is: how should i be specifying this audience parameter to the authorizationUrl?

thanks.

Q	A
Bug or feature request?	bug
Which Swagger/OpenAPI version?	2.0
Which Swagger-UI version?	3.2.0
How did you install Swagger-UI?	webjars
Which browser & version?	chrome
Which operating system?	macos

Issue Analytics

State:
Created 6 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

shockeycommented, Sep 23, 2017

Update

It occurs to me that we have a PR open for this: https://github.com/swagger-api/swagger-ui/pull/3666

I just approved it, so it should be included in tonight’s release. So this will be fixed 😄

0reactions

shockeycommented, Aug 15, 2018

@arthuston, yeah, something’s definitely wrong there - please make sure you’re on the latest version, and if so, open a ticket and tag me in it!

if you have the time, setting up a test environment (definition and Auth0 provisioning) that lets us work on this without scaffolding anything out would help to expedite the process 😄

Top Results From Across the Web

What is the Audience? - Auth0 Community

Answer: The audience parameter exists as part of the OAuth2.0 protocol. You can read more information from the specification here. What is it?...

Missing audience in Oauth2.0 authentication - Help - Postman

For auth0 at least, the “audience” parameter is required in the Auth URL, but it's being placed in the Access Token request. I'm...

OpenID Connect & OAuth 2.0 API - Okta Developer

The request is missing a necessary parameter, the parameter has an invalid value, or the request contains duplicate parameters. invalid_scope, The scopes list ......

Confusion with OIDC and access token scopes - Stack Overflow

In order to receive a JWT you must include an audience parameter with your token request. In this case I don't see any...

OAuth 2.0 - Swagger

implicit: # <---- OAuth flow(authorizationCode, implicit, password or clientCredentials); authorizationUrl: https://api.example.com/oauth2/authorize ...