Negotiate Authentication on Windows

[plk]

• OS: WIndows
• Browser: Any
• Version: Any
• Method of installation: dist
• Swagger-UI version: 3.20.5
• Swagger/OpenAPI version: OpenAPI 3.0

I see that OAS3 allows for "negotiate" authentication but Swagger-UI seems not to implement this? This is a very common thing in corporate APIs, naturally. Swagger-UI does not do the usual Windows Negotiate header exchange with the "Try It Out" functionality even though identical requests work fine with NTLM/Kerberos negotiated authentication directly in the browser. If there is any way to get this to work, would be interested.

[shockey]

@plk that's correct, Swagger UI doesn't currently support scheme: negotiate. This is the first time support for it has been requested 😄

For now, the best option is what you mentioned - go through your auth flow in your user agent. I'm going to tag this as a feature request so we can track direct support for it in Swagger UI.

[plk]

I'm surprised as so many companies use this internally now and so many use Windows auth for APIs. I know of dozens of such use cases coming up currently. I can test this if there are any beta releases.

[michael-o]

I don't understand @plk's requirement. We are a large enterprise and we do use either SPNEGO or certificate-based authentication. Both are supported with OAS 3.1.0 only. There is nothing Swagger UI can do here, but one thing: don't display authenticate because in both cases the browser will do it for you automatically, you don't have any control over. The padlock should be locked and considered as autologon.

[plk]

Well, Swagger UI uses curl to send the request for the "Try it Out" functionality so I'm not sure the browser is relevant here? When I looked at the requests coming in, there was no attempt to do SPNEGO from the curl requests generated by Swagger UI and so I would assume that when in OAS 3.1, we specify security: Windows [] or whatever, then Swagger UI needs to pass the relevant arguments to the curl requests to use SPNEGO?

[michael-o]

??? Swagger does not use curl, it uses the browser to perform the request. Providing the curl request is just convenience. All you need for a complete curl request is --negotiate -u :

[plk]

Sorry, I was confused about this. The problem, when I looked at the requests sent by Swagger UI, was that the Negotiate headers were not being sent/responded to for some reason. I couldn't get an NTLM authenticated API to work at all and assumed that this was a missing feature as it wasn't sending/responding in the right way but you are saying that this should work?

[michael-o]

I will recheck on Monday and will let you know

[michael-o]

Just tried Swagger UI on a non-existing, but constraint endpoint. The response is:

``´
date: Mon, 21 Oct 2019 08:53:40 GMT
server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd mod_auth_gssapi/1.6.1
x-frame-options: SAMEORIGIN
cache-control: private
expires: Thu, 01 Jan 1970 00:00:00 GMT
www-authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIgvcSAQICom0Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPqo20Ea2BpBgkqhkiG9xIBAgICAG9aMFigAwIBBaEDAgEPokwwSqADAgESokMEQdsOajUCT/Ox9brkqvCb5FKTv6VUmQt1MTtud2cKgvdaBb8hPw1oq2a3jLU6SkG9g6m/+5kdMkq78cjBwhxf+jPq
content-type: text/html;charset=utf-8
content-language: de
content-length: 1058
correlation-id: Xa1yESYEQYW3ZEzbgwxkYwAAAMY
keep-alive: timeout=300, max=94
connection: Keep-Alive

As you can see the server properly returns a ticket to complete the security context.

[plk]

You are correct, I cannot remember exactly what I saw originally with this but I think this should be closed. Apologies for the confusion.

[michael-o]

This should not be closed, but the above case (autologon) should be implemented in Swagger UI.

[plk]

That would be helpful, yes. I can’t get SPNEGO to work with the UI in Edge or Firefox but it does work with IE, which I suspect was the source of the original confusion. I suspect this is due to corporate browser setup however.