Google OAuth2 authentication in Swagger for a Node,js application

Question

I have created a simple NodeJS application which is using Passport for handling OAuth2 authentication using Google. I created credentials in Google API, configured the Google strategy ...

const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth').OAuth2Strategy;

passport.serializeUser((user , cb) => {
    cb(null , user);
})
passport.deserializeUser(function(user, cb) {
    cb(null, user);
});
  
passport.use(new GoogleStrategy({
    clientID: process.env.CLIENTID,
    clientSecret: process.env.CLIENTSECRET,
    callbackURL: process.env.CALLBACK,
    passReqToCallback: true
  },
  function(request, accessToken, refreshToken, profile, cb) {
    return cb(null, profile);
  }
));

app.use(passport.initialize());
app.use(passport.session());

The application works great and credentials allow me to control access to the application.

I have also configured Swagger to provide a way to test the REST API's provided by the application.

var options = {
    validatorUrl : null,
    oauth: {
        clientId: process.env.CLIENTID,
        clientSecret: process.env.CLIENTSECRET,
        appName: "MyApp",
  }
};

var swaggerUi = require('swagger-ui-express');
swaggerDocument = require('./swagger.json');
app.use(
  '/api-docs',
  swaggerUi.serve, 
  swaggerUi.setup(swaggerDocument,false,options)
);

Swagger also works fine, but some of the API's require authentication, so I also need to have that OAUth2 authentication working with Google.

In my swagger.json (Swagger 2.0) I have configured the securityDefinitions section following some examples I have found:

"securityDefinitions": {
    "google_oauth": { 
      "type": "oauth2",
      "flow": "implicit",
      "authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth",
      "tokenUrl": "https://www.googleapis.com/oauth2/v4/token",
      "scopes": {
        "https://www.googleapis.com/auth/userinfo.profile": "All user operations requiring authentication."
      }
    }
  },

Note: I have tried both with 'implicit' and 'authorizationCode' values for the flow.

And I have added security configuration to those API's which require credentials to be executed.

"/favourites/User/{user}/City/{city}": {
  "post": {
    "summary": "Adds the selected city as a new favourite for that user.",
    "tags": ["Favourites"],
    "security": [
      {"google_oauth": ["https://www.googleapis.com/auth/userinfo.email"]}
    ],

In Swagger now the Authorize button is displayed and when clicked I get redirected to Google (in a new tab).

I provide my credentials and I am returned to the original Swagger tab.

But now, if I try to execute the protected API, my REST code is receiving a Bearer token (which I have not configured my application to handle).

I thought I might be using a wrong configuration for Swagger, so I changed the security definitions in the swagger.json file using the auth URL for my application (which is being called when using the application and not swagger).

  "securityDefinitions": {
    "google_oauth": { 
      "type": "oauth2",
      "flow": "implicit",
      "authorizationUrl": "http://www.myapp.es/auth",
      "scopes": {
        "favourites": "All user operations requiring authentication."
      }
    }
  },

But this is not working either.

Any ideas? I think I am close and only some attribute is missing for having OAuth2 working in Swagger.

Thanks in advance.