Merge pull request #17434 from abpframework/gterdem/swagger_default_metadata_fix

Swagger with OIDC doesn't need full path

docs/en/API/Swagger-Integration.md

@@ -153,3 +153,38 @@ public override void OnApplicationInitialization(ApplicationInitializationContex
 ```
 
 > Do not forget to set `OAuthClientId` and `OAuthClientSecret`.
+
+## Using Swagger with OIDC
+
+You may also want to configure swagger using **OpenIdConnect** instead of OAUTH. This is especially useful when you need to configure different metadata address than the issuer in cases such as when you deploy your application to kubernetes cluster or docker. In these cases, metadata address will be used in sign-in process to reach the valid authentication server discovery endpoint over the internet and use the internal network to validate the obtained token.
+
+To do that, we need to use `AddAbpSwaggerGenWithOidc` extension to configure Swagger with OAuth issuer and scopes in `ConfigureServices` method of our module:
+
+```csharp
+context.Services.AddAbpSwaggerGenWithOidc(
+    configuration["AuthServer:Authority"],
+    scopes: new[] { "SwaggerDemo" },
+    // "authorization_code"
+    flows: new[] { AbpSwaggerOidcFlows.AuthorizationCode },
+    // When deployed on K8s, should be metadata URL of the reachable DNS over internet like https://myauthserver.company.com
+    discoveryEndpoint: configuration["AuthServer:Authority"],
+    options =>
+    {
+        options.SwaggerDoc("v1", new OpenApiInfo { Title = "SwaggerDemo API", Version = "v1" });
+        options.DocInclusionPredicate((docName, description) => true);
+        options.CustomSchemaIds(type => type.FullName);
+    });
+```
+
+The `flows` is a list of default oidc flows that is supported by the oidc-provider (authserver). You can see the default supported flows below:
+
+- `AbpSwaggerOidcFlows.AuthorizationCode`: The `"authorization_code"` flow is the **default and suggested** flow. **Doesn't require a client secret** when even there is a field for it.
+-  `AbpSwaggerOidcFlows.Implicit`: The deprecated `"implicit"` flow that was used for javascript applications.
+- `AbpSwaggerOidcFlows.Password`: The legacy `password` flow which is also known as Resource Ownder Password flow. You need to provide a user name, password and client secret for it.
+- `AbpSwaggerOidcFlows.ClientCredentials`: The `"client_credentials"` flow that is used for server to server interactions.
+
+You can define one or many flows which will be shown in the Authorize modal. You can set it **null which will use the default "authorization_code"** flow.
+
+The `discoveryEndpoint` is the reachable openid-provider endpoint for the `.well-known/openid-configuration`. You can set it to **null which will use default AuthServer:Authority** appsettings configuration. If you are deploying your applications to a kubernetes cluster or docker swarm, you should to set the `discoveryEndpoint` as real DNS that should be reachable over the internet. 
+
+> If are having problems with seeing the authorization modal, check the browser console logs and make sure you have a correct and reachable `discoveryEndpoint`

framework/src/Volo.Abp.Swashbuckle/wwwroot/swagger/ui/abp.swagger.js

@@ -28,7 +28,16 @@ var abp = abp || {};
             }
             // Intercept .well-known request when the discoveryEndpoint is provided
             if (!firstRequest && oidcDiscoveryEndpoint.length !== 0 && request.url.includes(".well-known/openid-configuration")) {
-                request.url = oidcDiscoveryEndpoint;
+                if (oidcDiscoveryEndpoint.endsWith(".well-known/openid-configuration")) {
+                    request.url = oidcDiscoveryEndpoint;
+                    console.log(request.url);
+                    return;
+                }
+                if (!oidcDiscoveryEndpoint.endsWith("/")) {
+                    oidcDiscoveryEndpoint += "/"
+                }
+                request.url = oidcDiscoveryEndpoint + ".well-known/openid-configuration";
+                console.log(request.url);
             }
 
             var antiForgeryToken = abp.security.antiForgery.getToken();