Out of spec HTTP authorization scheme seems accepted (Basic).

[shotwn]

Q&A (please complete the following information)

• OS: Windows 10
• Browser: Google Chrome
• Version: 80
• Method of installation: CDN (unpkg.com)
• Swagger-UI version: 3.25.0
• Swagger/OpenAPI version: OpenAPI 3.0

Content & configuration

Example Swagger/OpenAPI definition:

  securitySchemes:
    basicAuth:
      type: http
      description: 'lalala.'
      scheme: Basic

Describe the bug you're encountering

I had a typo. scheme field on the HTTP auth was Basic instead of basic.

But even with this typo all UI features seemed to work okay. I was able to click authorize and enter my credentials. Only for them to not being send on request.

And actually on available authorizations modal, authorization method is depicted as basicAuth (http, Basic) with capital B. As how it would be depicted in many other places.

This causes confusion as everything seems fine but authorization headers are not send on try it out requests. Since many issues about authorization headers seem to point at CORS issues, whole situation causes a witch hunt over a simple typo.

Expected behavior

When authorization scheme value is wrong (Basic instead of basic) do not show (http, Basic) authorization in available authorizations modal.

Or better show a warning about an unsupported authorization method.

[hkosova]

scheme is case-insensitive, so both scheme: basic and scheme: Basic should work. The fact that scheme: Basic does not work is a bug.

Note to developers:
There was PR swagger-api/swagger-js#1473 attempting to address this but it was declined because of lack of tests.

[hkosova]

New PR: swagger-api/swagger-js#1531

[hkosova]

🎉 Fixed in Swagger UI 3.27.0, Swagger Editor 3.11.4, swagger-client 3.10.8.