search

django-rea / rea-app

Multi-platform UI application for OVN (Open Value Network) & REA (Resource / Event / Agent) backends- including Sensorica NRP, FreedomCoop OCP, GoPacifica DEEP & eventually django-rea project.
16 stars 6 forks source link

GraphQL and token based RPC authentication #9

Closed ghost closed 7 years ago

ghost commented 7 years ago

I am writing the DEEP functional document for the mobile app and I am trying to figure out in my head how we are going to authenticate rea-app calls to nrp. It was partially discussed in Telegram but I wanted to make it here explicit so we can all collaborate and elucidate a solution.

I will start telling you all: I don't like cookies for RPC services. I like my services as my functions, as stateless as possible :) It makes testing much easier. It doesn't mess with the authentication mechanism of Django, etc. and it is integrated within the RPC calls.

I have found this link which details how to make token based authentication part of GraphQL and I think it's neat.

It has pros such as dealing with errors at the query layer, being able to automagically re-login the user without her noticing and more neat stuff (yes, this can be done the other way, but much easily using just one RPC endpoint for it and handling errors at the same level, instead of dealing with json as well), the cons, ???? :)

Do you think JWT tokens are ok this task?

XaviP commented 7 years ago

I've asked to people from freecoin which auth system they are planning to use. I don't mean that it has to be the same, just trying to collect more information about which auth systems will be necessary.

ghost commented 7 years ago

I've asked to people from freecoin which auth system they are planning to use

I think they are using at the moment OAuth 2, but perhaps a simpler protocol could be implemented.

XaviP commented 7 years ago

Yes, they are about a simpler auth system.

bhaugen commented 7 years ago

copying this here from telegram, start of a series of blog posts about JWT: https://blog.docuverse.com/2017/03/29/what-is-jwt/

pospi commented 7 years ago

I like the idea of a viewer context, I think that makes the most sense if we're starting fresh. And it seems like it would be easy to implement that as a JWT token and bind it to the UI views, from what I understand of the client side of things.

Totally not against separate auth endpoints to get the token which we then feed manually into GraphQL either.. both fine solutions. There is something to be said for an auth system that works over raw HTTP or OAuth instead of GraphQL. Completely agree with you on cookies too and would prefer things to be cookieless where possible (:

ghost commented 7 years ago

Done. We will be using from now on authentication from within GraphQL using a viewer context.