IBM
Why is authorization handled in openapi-to-graphql?
Authentication OpenAPI-to-GraphQL currently supports authentication via API Key and basic auth. OpenAPI-to-GraphQL wraps secured endpoints into a viewer, which takes the API key / credentials as input.
Why are there viewers instead of it being handled outside of openapi-to-graphql? It adds added complexity to graphql queries. For example if I use websockets then I need to provide a viewer in every request, rather than just the first. I also can't use the http Authorization header which was built for this purpose.
Instead, a layer above can process any authentication strategies, place the user data in a context, and openapi-to-graphql can enforce any security requirements (scopes, roles, or even just being authenticated) via a resolver's context.
Interested in your opinion on this. Also can you enable discussions in this repo? I feel like that'd be a better place for this question.
@FallingSnow Sorry for the delayed response. We added viewers because we saw similar systems being used in other GraphQL interfaces at the time. We slowly added other ways of authentication like using OAuth tokens or injecting headers and query strings as they were requested. Things can change and we can always add new features. If you believe there are better methods of doing something, then feel free to suggest it or even submit a PR!
And yes, I will look into discussions.
