SpringDoc OIDC: how to show only Implicit Flow among the available authorizations?

Question

I'm trying to configure SpringDoc/Swagger-UI in order to show only the Implicit Flow when clicking on the Authorize button.

However, it shows all the possible authorization methods supported by the IDAM, as show at /.well-known/openid-configuration:

"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"]

• authorization_code
• implicit
• refresh_token
• password
• client_credentials
• urn:ietf:params:oauth:grant-type:device_code
• urn:openid:params:grant-type:ciba

This is my current configuration:

@Configuration
@RequiredArgsConstructor
public class OpenAPIConfiguration {
    private final OAuth2Configuration oAuth2Configuration;

    @Bean
    public SecurityScheme securityScheme() {
        String tokenIssuer = this.oAuth2Configuration.getIssuers().get(0);
        String openIdConnectUrl = tokenIssuer + "/.well-known/openid-configuration";

        OAuthFlow implicitOAuthFlow = new OAuthFlow();

        return new SecurityScheme()
                .name("OIDC-Auth")
                .type(SecurityScheme.Type.OPENIDCONNECT)
                .scheme("bearer")
                .bearerFormat("jwt")
                .in(SecurityScheme.In.HEADER)
                .openIdConnectUrl(openIdConnectUrl)
                .flows(new OAuthFlows().implicit(implicitOAuthFlow));
    }

    @Bean
    public SecurityRequirement securityRequirement() {
        return new SecurityRequirement().addList("OIDC-Auth");
    }

    @Bean
    public OpenAPI openAPI(SecurityScheme securityScheme, SecurityRequirement securityRequirement) {
        return new OpenAPI()
                .info(new Info()
                        .title("MY API")
                        .version("1"))
                .components(new Components()
                        .addSecuritySchemes(securityScheme.getName(), securityScheme))
                .addSecurityItem(securityRequirement);
    }
}

How can I limit the flows to be displayed on the UI?

Answer 1

The example below works for me:

...

private static final String PROTOCOL_OPENID_CONNECT = "%s/realms/%s/protocol/openid-connect";

@Bean
    OpenAPI customOpenApi() {
        return new OpenAPI()
                .addServersItem(new Server().url(API_SERVER_URL))
                .components(createOauth2SecurityScheme())
                .security(createOauth2SecurityRequirement())
                .info(createInfo());
    }

    private Components createOauth2SecurityScheme() {
        return new Components().addSecuritySchemes("oAuth2", createOauth2Scheme());
    }

    private List<SecurityRequirement> createOauth2SecurityRequirement() {
        return List.of(new SecurityRequirement().addList("oAuth2"));
    }

    private SecurityScheme createOauth2Scheme() {
        String authUrl = String.format(PROTOCOL_OPENID_CONNECT, AUTH_SERVER_URL, REALM);
        String tokenUrl = String.format(PROTOCOL_OPENID_CONNECT, AUTH_SERVER_URL, REALM);
        return new SecurityScheme()
                .type(SecurityScheme.Type.OAUTH2)
                .description("OAuth2 Flow")
                .flows(new OAuthFlows()
                        .authorizationCode(
                                new OAuthFlow()
                                        .authorizationUrl(authUrl + "/auth")
                                        .tokenUrl(tokenUrl + "/token")
                                        .scopes(new Scopes())
                                ));
    }

...