Forum Discussion

dwiekropki's avatar
dwiekropki
New Contributor
6 years ago

Client credentials location - request body as default option

Hi! Is there any possibility to set 'Request body' option as default one in authorization modal?
  • kyleshockey's avatar
    6 years ago

    Hi,

     

    This isn't currently possible - Swagger UI always defaults to including client credentials in an Authorization header, because the OAuth specification recommends doing so:

     

    Including the client credentials in the request-body using [client_id and client_secret] is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). 

    RFC 6749 ยง 2.3.1

     

    We always default to the HTTP Basic authentication scheme (we call it the "Authorization header" credentials location) in Swagger UI, because Swagger UI (along with most HTTP-aware clients) is capable of using it.

     

    In order to support indicating where to include client credentials, a field would need to be added to the OpenAPI Specification's OAuth2 Flow object, which would allow password flows to indicate a preferred client credential inclusion location.