Merge pull request #4649 from vincentchalamon/fix/swaggerui-pkce

feat: support PKCE on Swagger UI

Author: vincentchalamon

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 2.7.0
 
+* Swagger UI: Add `usePkceWithAuthorizationCodeGrant` to Swagger UI initOAuth (#4649)
 * **BC**: `mapping.paths` in configuration should override bundles configuration (#4465)
 * GraphQL: Add ability to use different pagination types for the queries of a resource (#4453)
 * Security: **BC** Fix `ApiProperty` `security` attribute expression being passed a class string for the `object` variable on updates/creates - null is now passed instead if the object is not available (#4184)

src/Core/Bridge/Symfony/Bundle/Action/SwaggerUiAction.php

@@ -56,6 +56,7 @@ final class SwaggerUiAction
     private $oauthTokenUrl;
     private $oauthAuthorizationUrl;
     private $oauthScopes;
+    private $oauthPkce;
     private $formatsProvider;
     private $swaggerUiEnabled;
     private $reDocEnabled;
@@ -81,7 +82,7 @@ final class SwaggerUiAction
      * @param mixed      $oauthScopes
      * @param mixed      $resourceMetadataFactory
      */
-    public function __construct(ResourceNameCollectionFactoryInterface $resourceNameCollectionFactory, $resourceMetadataFactory, NormalizerInterface $normalizer, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, string $title = '', string $description = '', string $version = '', $formats = [], $oauthEnabled = false, $oauthClientId = '', $oauthClientSecret = '', $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', $oauthScopes = [], bool $showWebby = true, bool $swaggerUiEnabled = false, bool $reDocEnabled = false, bool $graphqlEnabled = false, bool $graphiQlEnabled = false, bool $graphQlPlaygroundEnabled = false, array $swaggerVersions = [2, 3], OpenApiSwaggerUiAction $swaggerUiAction = null, $assetPackage = null, array $swaggerUiExtraConfiguration = [])
+    public function __construct(ResourceNameCollectionFactoryInterface $resourceNameCollectionFactory, $resourceMetadataFactory, NormalizerInterface $normalizer, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, string $title = '', string $description = '', string $version = '', $formats = [], $oauthEnabled = false, $oauthClientId = '', $oauthClientSecret = '', $oauthType = '', $oauthFlow = '', $oauthTokenUrl = '', $oauthAuthorizationUrl = '', $oauthScopes = [], bool $showWebby = true, bool $swaggerUiEnabled = false, bool $reDocEnabled = false, bool $graphqlEnabled = false, bool $graphiQlEnabled = false, bool $graphQlPlaygroundEnabled = false, array $swaggerVersions = [2, 3], OpenApiSwaggerUiAction $swaggerUiAction = null, $assetPackage = null, array $swaggerUiExtraConfiguration = [], bool $oauthPkce = false)
     {
         $this->resourceNameCollectionFactory = $resourceNameCollectionFactory;
         $this->resourceMetadataFactory = $resourceMetadataFactory;
@@ -109,6 +110,7 @@ public function __construct(ResourceNameCollectionFactoryInterface $resourceName
         $this->swaggerUiAction = $swaggerUiAction;
         $this->swaggerUiExtraConfiguration = $swaggerUiExtraConfiguration;
         $this->assetPackage = $assetPackage;
+        $this->oauthPkce = $oauthPkce;
 
         if (null === $this->twig) {
             throw new \RuntimeException('The documentation cannot be displayed since the Twig bundle is not installed. Try running "composer require symfony/twig-bundle".');
@@ -183,6 +185,7 @@ private function getContext(Request $request, Documentation $documentation): arr
             'enabled' => $this->oauthEnabled,
             'clientId' => $this->oauthClientId,
             'clientSecret' => $this->oauthClientSecret,
+            'pkce' => $this->oauthPkce,
             'type' => $this->oauthType,
             'flow' => $this->oauthFlow,
             'tokenUrl' => $this->oauthTokenUrl,

src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -427,6 +427,14 @@ private function registerOAuthConfiguration(ContainerBuilder $container, array $
         $container->setParameter('api_platform.oauth.authorizationUrl', $config['oauth']['authorizationUrl']);
         $container->setParameter('api_platform.oauth.refreshUrl', $config['oauth']['refreshUrl']);
         $container->setParameter('api_platform.oauth.scopes', $config['oauth']['scopes']);
+        $container->setParameter('api_platform.oauth.pkce', $config['oauth']['pkce']);
+
+        if ($container->hasDefinition('api_platform.swagger.action.ui')) {
+            $container->getDefinition('api_platform.swagger.action.ui')->setArgument(27, $config['oauth']['pkce']);
+        }
+        if ($container->hasDefinition('api_platform.swagger_ui.action')) {
+            $container->getDefinition('api_platform.swagger_ui.action')->setArgument(10, $config['oauth']['pkce']);
+        }
     }
 
     /**

src/Symfony/Bundle/DependencyInjection/Configuration.php

@@ -260,7 +260,11 @@ private function addOAuthSection(ArrayNodeDefinition $rootNode): void
                     ->addDefaultsIfNotSet()
                     ->children()
                         ->scalarNode('clientId')->defaultValue('')->info('The oauth client id.')->end()
-                        ->scalarNode('clientSecret')->defaultValue('')->info('The oauth client secret.')->end()
+                        ->scalarNode('clientSecret')
+                            ->defaultValue('')
+                            ->info('The OAuth client secret. Never use this parameter in your production environment. It exposes crucial security information. This feature is intended for dev/test environments only. Enable "oauth.pkce" instead')
+                        ->end()
+                        ->booleanNode('pkce')->defaultFalse()->info('Enable the oauth PKCE.')->end()
                         ->scalarNode('type')->defaultValue('oauth2')->info('The oauth type.')->end()
                         ->scalarNode('flow')->defaultValue('application')->info('The oauth flow grant type.')->end()
                         ->scalarNode('tokenUrl')->defaultValue('')->info('The oauth token url.')->end()

src/Symfony/Bundle/Resources/config/legacy/swagger_ui.xml

@@ -14,6 +14,7 @@
             <argument>%api_platform.formats%</argument>
             <argument>%api_platform.oauth.clientId%</argument>
             <argument>%api_platform.oauth.clientSecret%</argument>
+            <argument>%api_platform.oauth.pkce%</argument>
         </service>
     </services>
 </container>

src/Symfony/Bundle/Resources/config/swagger_ui.xml

@@ -47,6 +47,7 @@
             <argument type="service" id="api_platform.swagger_ui.action" />
             <argument>%api_platform.asset_package%</argument>
             <argument>%api_platform.swagger_ui.extra_configuration%</argument>
+            <argument>%api_platform.oauth.pkce%</argument>
         </service>
     </services>
 </container>

src/Symfony/Bundle/Resources/config/v3/swagger_ui.xml

@@ -15,6 +15,7 @@
             <argument>%api_platform.formats%</argument>
             <argument>%api_platform.oauth.clientId%</argument>
             <argument>%api_platform.oauth.clientSecret%</argument>
+            <argument>%api_platform.oauth.pkce%</argument>
         </service>
     </services>
 </container>

src/Symfony/Bundle/Resources/public/init-swagger-ui.js

@@ -63,7 +63,8 @@ window.onload = function() {
             realm: data.oauth.type,
             appName: data.spec.info.title,
             scopeSeparator: ' ',
-            additionalQueryStringParams: {}
+            additionalQueryStringParams: {},
+            usePkceWithAuthorizationCodeGrant: data.oauth.pkce,
         });
     }
 

src/Symfony/Bundle/SwaggerUi/SwaggerUiAction.php

@@ -40,8 +40,9 @@ final class SwaggerUiAction
     private $resourceMetadataFactory;
     private $oauthClientId;
     private $oauthClientSecret;
+    private $oauthPkce;
 
-    public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, NormalizerInterface $normalizer, OpenApiFactoryInterface $openApiFactory, Options $openApiOptions, SwaggerUiContext $swaggerUiContext, array $formats = [], string $oauthClientId = null, string $oauthClientSecret = null)
+    public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, UrlGeneratorInterface $urlGenerator, NormalizerInterface $normalizer, OpenApiFactoryInterface $openApiFactory, Options $openApiOptions, SwaggerUiContext $swaggerUiContext, array $formats = [], string $oauthClientId = null, string $oauthClientSecret = null, bool $oauthPkce = false)
     {
         $this->resourceMetadataFactory = $resourceMetadataFactory;
         $this->twig = $twig;
@@ -53,6 +54,7 @@ public function __construct($resourceMetadataFactory, ?TwigEnvironment $twig, Ur
         $this->formats = $formats;
         $this->oauthClientId = $oauthClientId;
         $this->oauthClientSecret = $oauthClientSecret;
+        $this->oauthPkce = $oauthPkce;
 
         if (null === $this->twig) {
             throw new \RuntimeException('The documentation cannot be displayed since the Twig bundle is not installed. Try running "composer require symfony/twig-bundle".');
@@ -89,6 +91,7 @@ public function __invoke(Request $request)
                 'scopes' => $this->openApiOptions->getOAuthScopes(),
                 'clientId' => $this->oauthClientId,
                 'clientSecret' => $this->oauthClientSecret,
+                'pkce' => $this->oauthPkce,
             ],
             'extraConfiguration' => $this->swaggerUiContext->getExtraConfiguration(),
         ];

tests/Symfony/Bundle/Action/SwaggerUiActionTest.php

@@ -102,6 +102,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => false,
                 ],
                 'shortName' => 'F',
                 'operationId' => 'getFCollection',
@@ -137,6 +138,7 @@ public function getInvokeParameters()
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => false,
                 ],
                 'shortName' => 'F',
                 'operationId' => 'getFItem',
@@ -195,6 +197,7 @@ public function testDoNotRunCurrentRequest(Request $request)
                     'tokenUrl' => '',
                     'authorizationUrl' => '',
                     'scopes' => [],
+                    'pkce' => false,
                 ],
             ],
         ])->shouldBeCalled()->willReturn('');