GET OIDC client credentials from the Server where SwaggerUI is hosted. #7270
Comments
|
Is this secured? Should there be a "service" that exposes the client secret of a OIDC client. It is called secret and the Swagger UI is Javascript and runs inside the users scope where the client secret should not be known to the user. Also the ability to load a secret from a server - this would be a public reachable URL and so everybody can read the content. In other words - the Swagger UI is a separate "public" client in the OIDC realm which doesn't need a secret. |
|
[BANSAL-PALLAVI]: It's been a while for this Pull Request. If I understand is that the user credentials exposed with the current implementation? |
|
It's bad practice to store client credentials in the HTML/JS page and expose it to any user that can reach that page. For dev environments maybe ok, but not in general. I would expect something like a public client config (which doesnt require a secret) that uses allowed redirects on OIDC service side. There are many examples out there, like https://www.keycloak.org/securing-apps/javascript-adapter. The line 42 with clientSecret is marked as optional, but I would just remove it and then it's ok. |
Query is regarding using OIDC in Swagger UI. Swagger UI is hosted on Liberty server. The server has oidcClient configured and a REST API gives all the information regrading client credentials, redirect url etc. With the current implementation it seems that it takes the discovery url and the user is supposed to enter the credentials. But it might not be known to all the users. What I need is that Swagger UI takes the credentials from the server and then redirects directly to the login page of OIDC. Can anyone please help with this?
The text was updated successfully, but these errors were encountered: