feat: support PKCE on Swagger UI

Author: vincentchalamon

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 2.7.0
 
+* Swagger UI: Add `usePkceWithAuthorizationCodeGrant` to Swagger UI initOAuth (#4649)
 * **BC**: `mapping.paths` in configuration should override bundles configuration (#4465)
 * GraphQL: Add ability to use different pagination types for the queries of a resource (#4453)
 * Security: **BC** Fix `ApiProperty` `security` attribute expression being passed a class string for the `object` variable on updates/creates - null is now passed instead if the object is not available (#4184)

src/Core/Bridge/Symfony/Bundle/Action/SwaggerUiAction.php

@@ -56,6 +56,7 @@ final class SwaggerUiAction
     private $oauthTokenUrl;
     private $oauthAuthorizationUrl;
     private $oauthScopes;
+    private $oauthPKCE;
     private $formatsProvider;
     private $swaggerUiEnabled;
     private $reDocEnabled;
@@ -79,9 +80,10 @@ final class SwaggerUiAction
      * @param mixed      $oauthTokenUrl
      * @param mixed      $oauthAuthorizationUrl
      * @param mixed      $oauthScopes
+     * @param mixed      $oauthPKCE
      * @param mixed      $resourceMetadataFactory
      */
-    public function __construct(ResourceNameCollectionFactoryInterface $resourceNameCollectionFactory, $resourceMetadataFactory, NormalizerInterface $normalizer, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, string $title = '', string $description = '', string $version = '', $formats = [], $oauthEnabled = false, $oauthClientId = '', $oauthClientSecret = '', $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', $oauthScopes = [], bool $showWebby = true, bool $swaggerUiEnabled = false, bool $reDocEnabled = false, bool $graphqlEnabled = false, bool $graphiQlEnabled = false, bool $graphQlPlaygroundEnabled = false, array $swaggerVersions = [2, 3], OpenApiSwaggerUiAction $swaggerUiAction = null, $assetPackage = null, array $swaggerUiExtraConfiguration = [])
+    public function __construct(ResourceNameCollectionFactoryInterface $resourceNameCollectionFactory, $resourceMetadataFactory, NormalizerInterface $normalizer, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, string $title = '', string $description = '', string $version = '', $formats = [], $oauthEnabled = false, $oauthClientId = '', $oauthClientSecret = '', $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', $oauthScopes = [], bool $oauthPKCE = true, bool $showWebby = true, bool $swaggerUiEnabled = false, bool $reDocEnabled = false, bool $graphqlEnabled = false, bool $graphiQlEnabled = false, bool $graphQlPlaygroundEnabled = false, array $swaggerVersions = [2, 3], OpenApiSwaggerUiAction $swaggerUiAction = null, $assetPackage = null, array $swaggerUiExtraConfiguration = [])
     {
         $this->resourceNameCollectionFactory = $resourceNameCollectionFactory;
         $this->resourceMetadataFactory = $resourceMetadataFactory;
@@ -100,6 +102,7 @@ public function __construct(ResourceNameCollectionFactoryInterface $resourceName
         $this->oauthTokenUrl = $oauthTokenUrl;
         $this->oauthAuthorizationUrl = $oauthAuthorizationUrl;
         $this->oauthScopes = $oauthScopes;
+        $this->oauthPKCE = $oauthPKCE;
         $this->swaggerUiEnabled = $swaggerUiEnabled;
         $this->reDocEnabled = $reDocEnabled;
         $this->graphqlEnabled = $graphqlEnabled;
@@ -183,6 +186,7 @@ private function getContext(Request $request, Documentation $documentation): arr
             'enabled' => $this->oauthEnabled,
             'clientId' => $this->oauthClientId,
             'clientSecret' => $this->oauthClientSecret,
+            'pkce' => $this->oauthPKCE,
             'type' => $this->oauthType,
             'flow' => $this->oauthFlow,
             'tokenUrl' => $this->oauthTokenUrl,

src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -421,6 +421,7 @@ private function registerOAuthConfiguration(ContainerBuilder $container, array $
         $container->setParameter('api_platform.oauth.enabled', $this->isConfigEnabled($container, $config['oauth']));
         $container->setParameter('api_platform.oauth.clientId', $config['oauth']['clientId']);
         $container->setParameter('api_platform.oauth.clientSecret', $config['oauth']['clientSecret']);
+        $container->setParameter('api_platform.oauth.pkce', $config['oauth']['pkce']);
         $container->setParameter('api_platform.oauth.type', $config['oauth']['type']);
         $container->setParameter('api_platform.oauth.flow', $config['oauth']['flow']);
         $container->setParameter('api_platform.oauth.tokenUrl', $config['oauth']['tokenUrl']);

src/Symfony/Bundle/DependencyInjection/Configuration.php

@@ -260,7 +260,12 @@ private function addOAuthSection(ArrayNodeDefinition $rootNode): void
                     ->addDefaultsIfNotSet()
                     ->children()
                         ->scalarNode('clientId')->defaultValue('')->info('The oauth client id.')->end()
-                        ->scalarNode('clientSecret')->defaultValue('')->info('The oauth client secret.')->end()
+                        ->scalarNode('clientSecret')
+                            ->defaultValue('')
+                            ->info('The oauth client secret.')
+                            ->setDeprecated(...$this->buildDeprecationArgs('2.7', 'The use of the `oauth.client_secret` has been deprecated in 2.7 for security reasons and will be removed in 3.0. The `oauth.pkce` option implements the OAuth2 PKCE strategy (enabled by default).'))
+                        ->end()
+                        ->booleanNode('pkce')->defaultTrue()->info('Enable the oauth PKCE.')->end()
                         ->scalarNode('type')->defaultValue('oauth2')->info('The oauth type.')->end()
                         ->scalarNode('flow')->defaultValue('application')->info('The oauth flow grant type.')->end()
                         ->scalarNode('tokenUrl')->defaultValue('')->info('The oauth token url.')->end()

src/Symfony/Bundle/Resources/config/swagger_ui.xml

@@ -37,6 +37,7 @@
             <argument>%api_platform.oauth.tokenUrl%</argument>
             <argument>%api_platform.oauth.authorizationUrl%</argument>
             <argument>%api_platform.oauth.scopes%</argument>
+            <argument>%api_platform.oauth.pkce%</argument>
             <argument>%api_platform.show_webby%</argument>
             <argument>%api_platform.enable_swagger_ui%</argument>
             <argument>%api_platform.enable_re_doc%</argument>

src/Symfony/Bundle/Resources/public/init-swagger-ui.js

@@ -63,7 +63,8 @@ window.onload = function() {
             realm: data.oauth.type,
             appName: data.spec.info.title,
             scopeSeparator: ' ',
-            additionalQueryStringParams: {}
+            additionalQueryStringParams: {},
+            usePkceWithAuthorizationCodeGrant: data.oauth.pkce,
         });
     }
 

src/Symfony/Bundle/SwaggerUi/SwaggerUiAction.php

@@ -40,8 +40,9 @@ final class SwaggerUiAction
     private $resourceMetadataFactory;
     private $oauthClientId;
     private $oauthClientSecret;
+    private $oauthPKCE;
 
-    public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, NormalizerInterface $normalizer, OpenApiFactoryInterface $openApiFactory, Options $openApiOptions, SwaggerUiContext $swaggerUiContext, array $formats = [], string $oauthClientId = null, string $oauthClientSecret = null)
+    public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, NormalizerInterface $normalizer, OpenApiFactoryInterface $openApiFactory, Options $openApiOptions, SwaggerUiContext $swaggerUiContext, array $formats = [], string $oauthClientId = null, string $oauthClientSecret = null, bool $oauthPKCE = true)
     {
         $this->resourceMetadataFactory = $resourceMetadataFactory;
         $this->twig = $twig;
@@ -53,6 +54,7 @@ public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, Ur
         $this->formats = $formats;
         $this->oauthClientId = $oauthClientId;
         $this->oauthClientSecret = $oauthClientSecret;
+        $this->oauthPKCE = $oauthPKCE;
 
         if (null === $this->twig) {
             throw new \RuntimeException('The documentation cannot be displayed since the Twig bundle is not installed. Try running "composer require symfony/twig-bundle".');
@@ -89,6 +91,7 @@ public function __invoke(Request $request)
                 'scopes' => $this->openApiOptions->getOAuthScopes(),
                 'clientId' => $this->oauthClientId,
                 'clientSecret' => $this->oauthClientSecret,
+                'pkce' => $this->oauthPKCE,
             ],
             'extraConfiguration' => $this->swaggerUiContext->getExtraConfiguration(),
         ];

tests/Symfony/Bundle/Action/SwaggerUiActionTest.php

@@ -102,6 +102,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
                 'shortName' => 'F',
                 'operationId' => 'getFCollection',
@@ -137,6 +138,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
                 'shortName' => 'F',
                 'operationId' => 'getFItem',
@@ -195,6 +197,7 @@ public function testDoNotRunCurrentRequest(Request $request)
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
             ],
         ])->shouldBeCalled()->willReturn('');

tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php

@@ -148,6 +148,7 @@ private function runDefaultConfigTests(array $doctrineIntegrationsToLoad = ['orm
                 'authorizationUrl' => '',
                 'refreshUrl' => '',
                 'scopes' => [],
+                'pkce' => true,
             ],
             'swagger' => [
                 'versions' => [2, 3],

tests/Symfony/Bundle/SwaggerUi/SwaggerUiActionTest.php

@@ -104,6 +104,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
                 'extraConfiguration' => [],
                 'shortName' => 'F',
@@ -139,6 +140,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
                 'extraConfiguration' => [],
                 'shortName' => 'F',
@@ -192,6 +194,7 @@ public function testDoNotRunCurrentRequest(Request $request)
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => true,
                 ],
                 'extraConfiguration' => [],
             ],