RFC: Graphql Auth

[chronark]

Audience

@tilman @JannikZed

Summary

The ECI graphql endpoint needs authentication. Probably either using JWTs or static tokens.

Detailed design

JWT

• Easy to handle for the ECI
• Who issues the jwt? We don't have a central auth service

Token

The P&F server can send a static auth token.

• No additional auth service required
• Same procedure as for webhooks that require an auth key
• The authentication and authorization must be done by P&F

[tilman]

I dont't think we should couple the auth too tightly with P&F and i would therefore vote for an additional auth service.

This auth service should also handle authorization and billing of API usage.

For a good UX it would also be nice if the user does not need to remember an extra login and could login via It's integration page. Maybe something like an oAuth flow with shopify/saleor/strapi usw.? But this would be something for the far future and should only be considered in the architecture but not implemented yet.

I would also prever to use something which is already existing instead of reinventing the wheel if possible. Like Auth0 for example.

[tilman]

https://www.zoho.com/subscriptions/

[chronark]

Without having read anything in depth about that zoho service, I would try to stay away from it. If it's anything like the inventory api, we are going to cry a lot.