This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
I am trying to add Authorization Code support on SwaggerUI to generate token from AzureAD for my client app.
I have below setup on Azure,
API App has scopes exposed (delegated permissions) and same is added/granted to Swagger Client App.
Swagger client app has configured with Swagger Redirect Uri in Web.
While trying to generate the token from SwaggerUI, getting below error.
Note-1: I am able to generate the token from Postman for the same client. In case of postman, added Redirect URI under Web. For swagger, tried both Web and SPA but getting different error in both cases.
Note-2: If I use Swagger redirect URI under SPA and if I don't pass secret then able to authenticate but I want users to pass secret while accessing endpoint from swagger.
Is it limitation with Azure Ad?
Trace ID: 34db8191-6a86-4d23-a3a5-172e2d149200 Correlation ID: 516346a1-52d4-4c54-8332-f9634937730d Timestamp: 2022-06-21 13:57:06Z
Below is my code snippet from .Net Core App for auth code grant flow.
Program.cs
builder.Services
.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerGenOptions>()
.AddSwaggerGen();
var app = builder.Build();
app.UseSwagger();
app.UseSwaggerUI(setup =>
{
setup.SwaggerEndpoint($"/swagger/v1/swagger.json", "Version 1.0");
setup.OAuthClientId("<<Client Id>>");
setup.OAuthClientSecret("<<Client Secret>>");
setup.OAuthAppName("MyAPI");
setup.OAuthScopeSeparator(" ");
});
ConfigureSwaggerGenOptions.cs
public class ConfigureSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
{
public void Configure(SwaggerGenOptions options)
{
options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/authorize"),
TokenUrl = new Uri("https://login.microsoftonline.com/<<TenantId>>/oauth2/v2.0/token"),
Scopes = new Dictionary<string, string>
{
{ "api://<<HostAPI_Id>>/.default" , "All Scopes" }
},
}
}
});
options.AddSecurityRequirement(new OpenApiSecurityRequirement()
{
{
new OpenApiSecurityScheme {
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme,
Id = "oauth2"
},
Scheme = "oauth2",
Name = "oauth2",
In = ParameterLocation.Header
},
new List < string > ()
}
});
}
}
Hello @Pinkesh Dashrathbhai Patel , the AADSTS501481 error is cause the /token post_verifier param value not matching the /authorize code_challenge param value.
This is not an Azure AD limitation but an error coming from the calling client. Immediate recommendation is to do a fiddler trace to see what the values are being generated and ensuring none of them is not being cached.
Azure AD App Registration Redirect URL must follow the actual application type: SPA or Web App.
In case it is a Web App and as a temporary workaround you might enable Authorization Grant without PKCE. Configuration should be similar to this:
components:
schemas: {}
securitySchemes:
accessCode:
type: oauth2
flows:
authorizationCode:
authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'
tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token'
scopes:
'api://<READ SCOPE RESOURCE ID>/read': allows reading resources
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.
Hey @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,
Thanks for the response. I have re-verified with Auth Code without PKCE, I am still getting below error.
Auth ErrorError: Bad Request, error: invalid_request, description: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Trace ID: a589f84b-683a-4d06-99cb-525103711800 Correlation ID: 7bcf7063-0833-45cc-a965-a7448aad73a2 Timestamp: 2022-06-22 08:31:38Z.
Both Auth Code and Auth Code with PKCE, I am trying from SwaggerUI.
Note: I have updated question with my code snippet in Question.
Edit: If I add Swagger redirect URL to SPA and if I try to authenticate myself without secret then it is working fine. Shouldn't we pass secret while authenticating? I have got some similar reference in below article.
https://dev.to/425show/secure-open-api-swagger-calls-with-azure-active-directory-jj7
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 75%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGK%3C/text%3E%3C/svg%3E)
Hi @Pinkesh Dashrathbhai Patel have you managed to find a solution to this and pass the client secret in?