Open mike-marcacci opened 5 years ago
This will require us to add core support for an authorization header that contains client credentials and a refresh token...
As I've continued to think through the relationship between OAuth and AuthX, I have grown more confident that this is a solid strategy. We will need to come up with an appropriate scheme according to RFC7235, and then select (or create) a "root" authorization for the grant like we currently do for the oauth2 flow.
After considering the extension mechanism described in #52, it's become clear that instead of providing an additional API that uses models directly, this should instead make GraphQL requests to the AuthX server. This way we avoid bypassing any registered extensions (which will be applied at the GraphQL layer).