add swagger openIdConnect by hu-ahmed · Pull Request #2330 · eclipse-ditto/ditto

hu-ahmed · 2026-02-04T13:04:04Z

No description provided.

thjaeckle

As far as I see, this added OIDC integration will only work if there is an URL serving the environment data.
The Ditto UI however does not rely on such an endpoint (it is an optional thing to configure) - it falls back to local browser storage to load either a default or manually added/edited environments from this local storage.

I think it makes sense to "re-use" the approach of this environment-URL - in order to effectively be able to just have one endpoint for the Ditto UI and the Swagger UI.
The mechanism however must also work without having such an endpoint.

Could you have another look in that direction, please?

deployment/helm/ditto/swaggerui-config/swagger-oidc.js

documentation/src/main/resources/openapi/ditto-api-2.yml

thjaeckle · 2026-02-10T08:32:13Z

deployment/helm/ditto/swaggerui-config/swagger-oidc.js

+        if (!envs || typeof envs !== "object") {
+            return null;
+        }
+        const name = envName || Object.keys(envs)[0];


@hu-ahmed the problem with this approach is:
If our environments contain multiple entries, here a random one gets picked.
I tried locally with the default Ditto environments (or which were still in my local storage) and it chose an environment which does not even have an oidc provider configured.

I think we should support that case if no envName is provided explicitly.
But then already in this method choose a oidc supporting provider. If we have multiple, we can choose the first one I would say. 👍

documentation/src/main/resources/openapi/sources/api-2-index.yml

thjaeckle · 2026-02-10T08:33:57Z

documentation/src/main/resources/openapi/sources/api-2-index.yml

    Google:
      $ref: "./security/google.yml"


thjaeckle · 2026-02-10T08:38:48Z

deployment/docker/swagger3-index.html

+        await SwaggerOidc.initSwaggerUiWithOidc({
+            specUrl: openApiPath,
+            openApiFileName: "ditto-api-2.yml",
+            oauth2RedirectPath: "/oauth2-redirect.html",


@hu-ahmed are you sure that this works? I would assume this has to be /apidoc/oauth2-redirect.html?

I tried the flow and it tried to redirect me to http://localhost:8080/oauth2-redirect.html

deployment/docker/swagger3-index.html

thjaeckle · 2026-02-10T08:44:16Z

deployment/helm/ditto/swaggerui-config/index.html

+            urls: [{url: "./openapi/ditto-api-2.yml", name:"Ditto API v2"}],
+            primaryName: "Ditto API v2",
+            openApiFileName: "ditto-api-2.yml",
+            oauth2RedirectPath: "/oauth2-redirect.html",


Same here - before the redirect uri was: oauth2RedirectUrl: window.location.origin + "./oauth2-redirect.html" - I don't think an absolute /oauth2-redirect.html works

thjaeckle · 2026-02-10T08:59:28Z

deployment/helm/ditto/swaggerui-config/swagger-oidc.js

+                SwaggerUIBundle.plugins.DownloadUrl
+            ],
+            layout: "StandaloneLayout",
+            oauth2RedirectUrl: global.location.origin + (opts.oauth2RedirectPath || "/oauth2-redirect.html"),


@hu-ahmed ah, I understand .. you wanted to add the /apidoc path here ..
This seems however not to work.
For me this resolved to: http://localhost:8080 - the apidocs locally served at url http://localhost:8080/apidoc/

thjaeckle assigned hu-ahmed Feb 6, 2026

thjaeckle added this to Ditto Planning Feb 6, 2026

thjaeckle added this to the 3.9.0 milestone Feb 6, 2026

thjaeckle requested changes Feb 9, 2026

View reviewed changes

deployment/helm/ditto/swaggerui-config/swagger-oidc.js Show resolved Hide resolved

deployment/helm/ditto/swaggerui-config/swagger-oidc.js Show resolved Hide resolved

deployment/helm/ditto/swaggerui-config/swagger-oidc.js Show resolved Hide resolved