Swagger UI: X-XSRF-TOKEN is sent to OAuth2 token url

[daniel-shuy]

Describe the bug
When configuring OpenAPI with OAuth2 security scheme and springdoc-openapi-ui with springdoc.csrf.enabled=true, Swagger UI will include X-XSRF-TOKEN in the request to the OAuth2 token url.

Certain OAuth2 providers (in my case, Keycloak) with CORS protection may cause the browser to block the request due to the presence of X-XSRF-TOKEN, since it is not typically in the Access-Control-Allow-Headers list.

To Reproduce
Steps to reproduce the behavior:

• What version of spring-boot you are using? 2.4.1
• What modules and versions of springdoc-openapi are you using? springdoc-openapi-ui:1.5.1
• Provide with a sample code (HelloController) or Test that reproduces the problem:

new OpenAPI()
    .addSecurityItem(new SecurityRequirement()
        .addList("keycloak")
    )
    .components(new Components()
        .addSecuritySchemes("keycloak", new SecurityScheme()
            .type(SecurityScheme.Type.OAUTH2)
            .flows(new OAuthFlows()
                .authorizationUrl("http://<keycloakUrl>/auth/realms/<realm>/protocol/openid-connect/auth")
                .tokenUrl("http://<keycloakUrl>/auth/realms/<realm>/protocol/openid-connect/token")
            )
        )
    );

springdoc:
  swagger-ui:
    csrf:
      enabled: true

Expected behavior
Swagger UI should not include X-XSRF-TOKEN for OAuth2 token url requests.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[bnasslahsen]

@daniel-shuy,

X-XSRF-TOKEN is the default value for many providers.
You can adapt the cookie-name and `header-name, as described in the swagger-ui-properties section

[daniel-shuy]

@bnasslahsen what I meant is that the X-XSRF-TOKEN should still be sent in requests to the endpoint urls, but excluded from the requests to the OAuth2 token url.

The CSRF support is meant for the application, not for the OAuth2 provider. My endpoints (using Spring Security) still expects X-XSRF-TOKEN, but Keycloak does not expect any CSRF token (there are no CSRF headers in Keycloak's Access-Control-Allow-Headers, renaming the header name does not solve this issue).

[bnasslahsen]

If Keycloak doesn't respect any CSRF token, why do you add springdoc.swagger-ui.csrf.enabled ?

[daniel-shuy]

Because my application endpoints needs the CSRF token. Keycloak is only used to authenticate/authorize.

[bnasslahsen]

Who generates the CSRF token ?

[daniel-shuy]

Who generates the CSRF token ?

The application. I don't think there is much value for an OAuth2 provider to have CSRF protection (but may have to test if Spring Security OAuth2 Server in a project with CSRF protection enabled expects a CSRF token in the OAuth2 token url).

[bnasslahsen]

This doesn't seem to be an issue in springdoc-openapi. You can check springdoc-openapi to dig further.
Please check your applications architecture /configuration .

If you really feel you are facing an issue, make sure to analyse root cause.

[daniel-shuy]

I have already done a in depth analysis on this, please try to understand the issue:

My application is a typical Spring MVC application, with Spring Security (which has CSRF protection enabled by default). This requires springdoc.swagger-ui.csrf.enabled to be true to use springdoc-openapi-ui.

With springdoc.swagger-ui.csrf.enabled set to true, all requests from Swagger UI includes the CSRF token header, which is fine.

However, to test protected endpoints with Swagger UI, we need to authorize. This is configured using the OAuth2 Security Scheme as mentioned above, which displays a Authorize button at the top right of the Swagger UI page:

Clicking on the Authorize button displays the popup below:

Clicking on the Authorize button in the popup opens the OAuth2 authorization url in another tab, and after a successful login, Swagger UI calls the OAuth2 token url to get the access token from the OAuth2 provider (in this case Keycloak).

If you need further evidence to back up my explanation, the Console error shows that the requests originates from swagger-ui/index.html?configUrl=/api/v3/api-docs/swagger-config, aka Swagger UI. The authorization flow does not go through the application whatsoever, it is solely between Swagger UI and Keycloak, and nothing to do with my application configuration (besides the springdoc-openapi configuration):

[bnasslahsen]

@daniel-shuy,

As you said, it might be between Swagger UI and Keycloak projects.
This is said, i encourage you to see the documentation of Keycloak, where you might found the configuration to allow the CSRF headers, which seems to be your issue.

I am locking this conversation, as we do not provide support for third party products configuration...