Authentication and authorization for GraphQL over WebSockets (subscriptions)

[blevine]

If you have thoughts on this approach, please feel free to share.

I've taken the approach of making the client responsible for authenticating and obtaining an access token. The graphql-transport-ws Ping and Pong messages are used as follows:

1. The client obtains an access token from some IdP and passes the access token as part of the payload in the ConnectionInit message.
2. The server validates the access token and stores it in the session. If the access token cannot be validated, the socket is closed.
3. The access token's expiration time is retrieved and a timer is started that times out just before the access token expires.
4. When the timer expires, a Ping message is sent to the client with a payload indicating that the access token has expired.
5. The client is then responsible for contacting the IdP to obtain a new access token (i.e., by refresh or re-authentication).
6. The client sends the new access token back in a Pong message.
7. The server validates the access token and stores it in the session. If the access token cannot be validated, the socket is closed.
8. When the client creates a new subscription, the access token is retrieved from the server-side session and added to the GraphQL context. The access token is also retrieved from the session, validated, and added to the GraphQL context whenever an established subscription event "fires". If the access token cannot be validated, the socket is closed.

Here is some additional discussion of credential refresh using the graphql-transport-ws protocol.