I'm not getting a scope checkbox when the Authorize tag doesn't contain roles, Ajax authorization request not sending scope either

Question

UPDATE 2: If I change my controller Authorize tag from this

[Authorize]

to this

[Authorize(Roles = \"Read\")]
         


        

Answer 1

These are the steps which we have done and worked:

1. In the SwaggerConfig file, add the below settings:

c.OAuth2("oauth2")
 .Description("OAuth2 Implicit Grant") 
 .Flow("implicit")
 .AuthorizationUrl(swaggerConfigurations["IssuerUri"].ToString())
 .Scopes(scopes =>
  {
    scopes.Add("user_scope", "Access REST API");
  });

The attributes are:

• Name of the authorization scheme (oauth2 in the above sample)
• Description of the authorization scheme
• Flow – Type of grant to be used
• Authorization Url – Should be the Auth Url of identity management system url (eg: https://auth2.test.com/oauth2/authorize)
• Scopes – The scope name

II. In the SwaggerConfig file, add the below settings also under the swagger ui configuration section:

c.EnableOAuth2Support(swaggerConfigurations["ClientId"].ToString(), string.Empty, swaggerConfigurations["RedirectUri"].ToString(), "Swagger", " ", new Dictionary { { "resource", GetResources() } });

The method accepts the below parameters:

• clientId – This should be client ID for swagger configured in Security Token Service
• clientSecret – This should be client secret key. This is required only in case of Code grant type
• realm – This should be the redirect url (this should be [base address] + swagger/ui/o2c-html)
• appName – This should be swagger
• scopeSeperator – This is not required to be passed if there is only scope
• additionalQueryStringParams – This should have the list of valid audiences and this corresponds to the resource for which the token is issued.

III. Create a new Operation Filter in the web api project as shown below:

public class CustomOperationFilter : IOperationFilter
    {              
        public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
        {     
            string clientId = "clientID";
            if (apiDescription != null)
            {
                var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline();

                var allowsAnonymous = actFilters.Select(f => f.Instance).OfType().Any();
                if (allowsAnonymous)
                {
                    return; // must be an anonymous method
                }
            }

            if (operation != null)
            {
                if (operation.security == null)
                {
                    operation.security = new List>>();
                }

                var authRequirements = new Dictionary>
                {
                    { "oauth2", new List { clientId } }
                };

                operation.security.Add(authRequirements);
            }
        }
    }

This class will be used to bind the OAuth scopes to the individual operations

IV. Add the above filter in the swagger config file (see code below)

c.OperationFilter();

V. Configure the Client ID, Secret, Redirect Url and Resource in Security Token Service

VI. In the Web API project, if there is an index.html being used to inject API specific UI fields/styles, then make sure that all the javascript code is kept intact with the Swashbuckle version of the index.html file (as provided in the location - https://github.com/domaindrivendev/Swashbuckle/blob/master/Swashbuckle.Core/SwaggerUi/CustomAssets/index.html)