Adding basic authentication to swashbuckle

Note: This is applies to swashbuckle 5.2.2 and below, will update post for 5.4.0.

On my recent endeavors, I’ve had the pleasure of getting to use “Swagger”, yes it is as swag as it sounds…
Swagger for .Net is thankfully packaged by a guy I only know as “DomainDriven” on github.
The .Net version is called “Swashbuckle”.
I will not go in to adding swashbuckle to your project, the README pretty much says it all.
Lets get back to basic-auth.
According to the swashbuckle docs, to add Basic-Auth to swashbuckle, you need to add the following in the SwaggerConfig.cs file

This adds the “SecurityDefinition” as per the swagger spec.
The SwashBuckler docs finishes the security segment with

NOTE: These only define the schemes and need to be coupled with a corresponding “security” property at the document or operation level to indicate which schemes are required for each operation. To do this, you’ll need to implement a custom IDocumentFilter and/or IOperationFilter to set these properties according to your specific authorization implementation

Which is what I’ll be showing you how to do.


Lets start with the UI.
To remove the APIKey input and replace that with a nice username/password input pair, we need to inject a new index.html.
Note: You can see the base swagger index file here
You can see the entire index.html below
What I’ve changed from the original index.html is actually not a whole lot.
I’ve removed everything that had to do with the apikey input and instead added new username and password inputs;
Now all there needs to be done is to inject the new index file into swagger-ui

Now that we have the UI in order, we move on to the actual spec implementation.
To actually live up to the swagger spec, we are still missing the Security Requirement Object on the operations.
According to the spec;

Security Requirement Object
Lists the required security schemes to execute this operation. The object can have multiple security schemes declared in it which are all required (that is, there is a logical AND between the schemes).
The name used for each property MUST correspond to a security scheme declared in the Security Definitions.

Which basically means that we need to add "security": [{"basic": []}] to all of our operations.
This only applies to the code generated by swagger, but how do we implement this through Swashbuckle?
We need to create a class that inherits from the IOperationFilter interface.
And then add the security scheme to all operation.
The security theme is basically just a “basic : []” applied under the security configuration (speaking in pure swagger spec terms).

Now we just need to apply the OperationsFilter in the SwaggerConfig

and that is it, now the “basic” security scheme will be applied to all operations.