Tokens expire without refreshing

[mtbarta]

The gateway has basic functionality for extracting data from a bearer token, but has no logic for dealing with expired tokens. Given an expired token, the gateway will reject the call.

This becomes annoying for the user, since the only way to fix this currently is to login again. The frontend should be updating the token, although this may not be working as intended.

A more robust solution to explore is to use keycloak's proxy service in between traefik and the gateway. This would allow better token handling and a way to have a dev environment without authentication. The downside is that this is adding another hop to every request.

[mtbarta]

https://github.com/gambol99/keycloak-proxy this is a golang proxy for keycloak/oidc.

There are really two options here:

1. correctly implement authentication inside of the gateway.
2. add in a proxy service between traefik and the gateway.

The benefits of 1 would be fewer services to maintain and orchestrate. However, the implementation time would be longer. I would also have additional control over what happens during token validation.

option 2 would provide separation of concerns, and the gateway would only need to know about graphQL and routing to backend services.

[mtbarta]

one issue was probably sending a stale token from the web client.

2b167d217a466a75706b43a95b6d2f702ba9858c

I've added a custom fetch to the apollo client HTTPLink, but i don't think this completely solved the issue. It looks like the first call with an expired token will fail, but calls afterward will work. This requires more testing.