Adding basic authentication to swashbuckle

Note: This is applies to swashbuckle 5.2.2 and below, will update post for 5.4.0.

On my recent endeavors, I’ve had the pleasure of getting to use “Swagger”, yes it is as swag as it sounds…
Swagger for .Net is thankfully packaged by a guy I only know as “DomainDriven” on github.
The .Net version is called “Swashbuckle”.
I will not go in to adding swashbuckle to your project, the README pretty much says it all.
Lets get back to basic-auth.
According to the swashbuckle docs, to add Basic-Auth to swashbuckle, you need to add the following in the SwaggerConfig.cs file

This adds the “SecurityDefinition” as per the swagger spec.
The SwashBuckler docs finishes the security segment with

NOTE: These only define the schemes and need to be coupled with a corresponding “security” property at the document or operation level to indicate which schemes are required for each operation. To do this, you’ll need to implement a custom IDocumentFilter and/or IOperationFilter to set these properties according to your specific authorization implementation

Which is what I’ll be showing you how to do.


Lets start with the UI.
To remove the APIKey input and replace that with a nice username/password input pair, we need to inject a new index.html.
Note: You can see the base swagger index file here
You can see the entire index.html below
What I’ve changed from the original index.html is actually not a whole lot.
I’ve removed everything that had to do with the apikey input and instead added new username and password inputs;
Now all there needs to be done is to inject the new index file into swagger-ui

Now that we have the UI in order, we move on to the actual spec implementation.
To actually live up to the swagger spec, we are still missing the Security Requirement Object on the operations.
According to the spec;

Security Requirement Object
Lists the required security schemes to execute this operation. The object can have multiple security schemes declared in it which are all required (that is, there is a logical AND between the schemes).
The name used for each property MUST correspond to a security scheme declared in the Security Definitions.

Which basically means that we need to add "security": [{"basic": []}] to all of our operations.
This only applies to the code generated by swagger, but how do we implement this through Swashbuckle?
We need to create a class that inherits from the IOperationFilter interface.
And then add the security scheme to all operation.
The security theme is basically just a “basic : []” applied under the security configuration (speaking in pure swagger spec terms).

Now we just need to apply the OperationsFilter in the SwaggerConfig

and that is it, now the “basic” security scheme will be applied to all operations.

5 thoughts on “Adding basic authentication to swashbuckle”

  1. thanks for tuturial, but there is a problem.
    when i go to for instance “” it shows a simple page with two textboxes and a login button.
    this means i have lost swagger-ui functionality
    on the other hand you didn’t mention where we get and check entered username and password.
    could you help me in any of named cases above?

    1. If you look at my other post “Most basic, basic authentication” –
      This should give you an Idea, of where and how to authenticate and authorize.
      The trick is to apply the authenticate attribute to all endpoints actually needing it. Thus providing the documentation to unauthorized users.
      But all calls to API endpoints will need authorization.
      You could then look at my other post – to show which roles (if using roles) are required for different endpoints.

  2. I have got the same problem as it described in previous question ,I am getting the simple page with two inputs and login button,I can see in browser console that swagger-ui is not loaded.

      1. This happened to me, but i realized I had named my folder “swagger” and so it was loading the index.html file by itself and not loading the swagger UI.

Leave a Reply

Your email address will not be published. Required fields are marked *