Support for authentication via OAuth / OpenID Connect

[fiznool]

This has been discussed in #59 but with less scope than outlined below.

The Insomina REST client has native support for authenticating with the GraphQL server via OAuth 2.0, and therefore also OpenID Connect. It will also (automatically) refresh an access token if it has expired.

This has a number of advantages:

• The process of acquiring an access / refresh token is baked into the client, and only requires the user to enter authentication details - right now, an access token needs to be acquired elsewhere, and added to each request via a Authorisation header.
• A GraphQL server which issues short-lived access tokens can be seemlessly supported by automatically refreshing any access token that has expired.

Could GraphiQL support this?

I'd love to be able to use GraphiQL but the second point in particular is a dealbreaker for me. As it currently stands, access tokens on my GraphQL server expire after 60 mins, and so every hour I would need to manually acquire an access token and set it in GraphiQL to continue using it.

[acao]

you can use any authentication mechanism you want, just use the values in the fetcher to pass headers! the form of authn and authz doesn’t matter when it’s just http headers or websocket params in the end, right?

as you can see, we have an issue open for the task of setting up a github oauth demo to demonstrate this.

let me know if you have any issues with passing the token to GraphiQL once the user is authenticated!

[fiznool]

Thank you for your reply.

Of course, the auth headers can be passed in manually - and that is a nice solution for many situations. The issue I face, however, is that my GraphQL server is protected with OIDC, and access tokens expire after an hour. With the current state of play, I must:

• Acquire the access/refresh token pair elsewhere, away from GraphiQL (using the OAuth 2.0 flow)
• Copy the access token into GraphiQL as a custom header
• Use GraphiQL for an hour
• Realise that the access token has expired
• Go elsewhere to refresh the access token
• Copy/paste the new access token into GraphiQL
• Rinse and repeat, every hour

This is a problematic approach, especially when I am asking other developers who are consuming the API to use GraphiQL, who will not have the patience to carry out this manual process every time. I'd like to use GraphiQL over Insomnia as there is much less friction in asking a fellow developer to go to a URL vs installing and setting up a desktop client, but if this is not in scope for something that GraphiQL can support, then that's of course also fine - I appreciate that this is a large project with many other priorities.

[acao]

sounds like you can build a react app around GraphiQL for that like most of us! our user's needs are too customized to provide anything generic for this. we can't possibly accomodate every auth flow, and its easier to just allow any auth flow by supporting any as we do now.

just make the react app handle the login, and present GraphiQL once the token is present. your wrapper app would make sure to keep freshing the access token. every time you pass the new fetcher into GraphiQL, all requests will start using the new token.

[acao]

#1771 (comment) to get you started

this project is mostly used by customized frameworks, and by projects like insomnia who use our LSP libraries. I'm pretty much the only recurring contributor, so there is no time to support such a thing. I'm available for paid consulting if you need more help with it, but most frontend devs can figure this one out it seems! i've worked at a handful of companies where they implemented an auth flow with GraphiQL themselves.

[fiznool]

No problem, thank you for taking the time to reply and point me in the right direction. 🙂