Authentication in graphql introspection

[tesharp]

Have a simple graphql endpoint configured like this:

sources:
  - name: service
    handler:
      graphql:
        endpoint: https://service.example.com/v1/graphql
        # operationHeaders:
        #   "X-API-Key": "${API_KEY}"
        # schemaHeaders:
        #   "X-API-Key": "${API_KEY}"

We used api key so far and it was working. However need to setup JWT token authentication and struggling a bit with getting introspection to work. Need to retrieve a token from idp and insert it into headers used during introspection but cannot find a way to do it. Only possibility I see at the moment is to modify the config after calling findAndParseConfig() before calling getMesh(config). Is there any other way to do it?

[ardatan]

schemaHeaders belongs to introspection calls while operationHeaders belongs to the operations. Didn't that work?

[tesharp]

schemaHeaders and operationHeaders worked when using API key. However now it should use jwt token where queries should use users access token, which I figured out I can probably get from context.

Something like below, and make sure jwtToken is set in context.

operationHeaders:
  "Authorization": "Bearer {context.jwtToken}"

However, for introspection there is no user I have access token for. So I need the app to authenticate with an service account and insert that into header. Just do not seem to be able to do same way as for operationHeader... I got it working by something like this

const meshConfig = await findAndParseConfig();

  const authConfig: msal.Configuration = {
    auth: {
      clientId: process.env.NEXTAUTH_CLIENT_ID,
      authority: `https://login.microsoftonline.com/${process.env.NEXTAUTH_TENANT_ID}`,
      clientSecret: process.env.NEXTAUTH_CLIENT_SECRET,
    }
  };

  const cca = new msal.ConfidentialClientApplication(authConfig);
  const ccRequest : msal.ClientCredentialRequest = {
    scopes: [process.env.NEXTAUTH_API_SCOPE]
  };

  console.log("Acquiring client credentials...")
  const res = await cca.acquireTokenByClientCredential(ccRequest);

  meshConfig.sources.forEach(src => {
    const accessToken = res.accessToken;

    (src.handler as any).config.schemaHeaders = {
      "Authorization": `Bearer ${accessToken}`,
    };
  })

  return await getMesh(meshConfig);

Just does not seem like right way to do it.

[ardatan]

This feature will be available in the next version soon so you will be able to provide custom headers by exporting an object from a js file;

schemaHeaders: ./introspection-headers.js

and in that js file;

exports.default = async () => {
  const authConfig = {
    auth: {
      clientId: process.env.NEXTAUTH_CLIENT_ID,
      authority: `https://login.microsoftonline.com/${process.env.NEXTAUTH_TENANT_ID}`,
      clientSecret: process.env.NEXTAUTH_CLIENT_SECRET,
    }
  };

  const cca = new msal.ConfidentialClientApplication(authConfig);
  const ccRequest : msal.ClientCredentialRequest = {
    scopes: [process.env.NEXTAUTH_API_SCOPE]
  };

  console.log("Acquiring client credentials...")
  const res = await cca.acquireTokenByClientCredential(ccRequest);
  return {
      "Authorization": `Bearer ${res.accessToken}`,
  }
 }

[tesharp]

Tested and works perfect 👍